HierarchyMap

TenantSummary

Download CSV semicolon | comma
Scope Scope Id Policy DisplayName PolicyId Category Effect Role definitions Unique assignments Used in PolicySets CreatedOn CreatedBy UpdatedOn UpdatedBy
Mg ESJH Application Gateway should be deployed with WAF enabled /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-appgw-without-waf Network Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub f28ba982-5ed0-4033-9bdf-e45e4b5df466 Create NSG Rule /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/providers/microsoft.authorization/policydefinitions/4e7e976d-d94c-47a3-a534-392c641cecd8 CUST_NSG Fixed: append n/a 0 0 2021-05-18 18:01:38 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a 2021-05-18 18:22:00 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH Deny the creation of private DNS /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-private-dns-zones Network Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deny the creation of public IP /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicip Network Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deny vNet peering /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-erpeering Network Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy a default budget on subscriptions /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-budget Budget Fixed: DeployIfNotExists Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy an Azure DDoS Protection Standard plan /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-ddosprotection Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Network Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Azure Defender settings in Azure Security Center. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Security Center Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Security Admin 1 (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security) 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Azure Firewall Manager policy in the subscription /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-firewallpolicy Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Network Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Activity Log to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 1 (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log) 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-analysisservice Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for API Management to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-apimgmt Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-webserverfarm Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for App Service to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-website Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-applicationgateway Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Automation to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-aa Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-datalakestore Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-function Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Batch to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-batch Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-cdnendpoints Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-cognitiveservices Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Container Instances to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-aci Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Container Registry to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-acr Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-cosmosdb Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Data Factory to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-datafactory Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-dlanalytics Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-mysql Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-postgresql Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Databricks to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-databricks Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventgridsub Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventgridsystemtopic Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventgridtopic Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventhub Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-expressroute Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Firewall to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-firewall Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Front Door to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-frontdoor Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for HDInsight to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-hdinsight Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-iothub Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Key Vault to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-keyvault Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-aks Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-loadbalancer Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-logicappsise Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Logic Apps Workflow runtime to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-logicappswf Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-mlworkspace Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for MariaDB to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-mariadb Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-nic Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-networksecuritygroups Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-powerbiembedded Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-publicip Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Recovery Services vaults to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-recoveryvault Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-rediscache Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Relay to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-relay Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Search Services to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-searchservices Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-servicebus Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for SignalR to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-signalr Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-sqldbs Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-sqlelasticpools Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-sqlmi Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-streamanalytics Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-timeseriesinsights Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-trafficmanager Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-vmss Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-vm Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-virtualnetwork Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-vnetgw Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy DNS Zone Group for Key Vault Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-keyvault-privateendpoint Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Private DNS Zone Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy DNS Zone Group for SQL Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-sql-privateendpoint Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Private DNS Zone Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy DNS Zone Group for Storage-Blob Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-table-privateendpoint Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Private DNS Zone Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy DNS Zone Group for Storage-File Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-file-privateendpoint Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Private DNS Zone Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy DNS Zone Group for Storage-Queue Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-queue-privateendpoint Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Private DNS Zone Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy DNS Zone Group for Storage-Blob Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-blob-privateendpoint Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Private DNS Zone Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy spoke network with configuration to hub network based on ipam configuration object /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-vnet Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Network Contributor 0 0 2021-01-10 20:57:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy SQL database auditing settings /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-auditingsettings SQL Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled SQL Security Manager 0 1 (Deploy SQL Database built-in SQL security configuration (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-sql-security) 2021-01-10 20:57:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy SQL Database security Alert Policies configuration with email admin accounts /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-securityalertpolicies SQL Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled SQL Security Manager 0 1 (Deploy SQL Database built-in SQL security configuration (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-sql-security) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy SQL Database Transparent Data Encryption /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-tde SQL Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled SQL Security Manager 0 1 (Deploy SQL Database built-in SQL security configuration (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-sql-security) 2021-01-10 20:57:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy SQL Database vulnerability Assessments /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-vulnerabilityassessments SQL Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled SQL Security Manager, Monitoring Contributor 0 1 (Deploy SQL Database built-in SQL security configuration (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-sql-security) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy the configurations to the Log Analytics in the subscription /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-la-config Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy the Log Analytics in the subscription /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-log-analytics Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 1 (/providers/microsoft.management/managementgroups/esjh-management/providers/microsoft.authorization/policyassignments/deploy-log-analytics) 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy the Virtual WAN in the specific region /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-vwan Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Network Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Virtual Hub network with Virtual Wan and Gateway and Firewall configured. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-vhub Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Network Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Virtual Network to be used as hub virtual network in desired region /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-hub Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Network Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy Windows Domain Join Extension with keyvault configuration /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-windows-domainjoin Guest Configuration Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Virtual Machine Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploys NSG flow logs and traffic analytics /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-nsg-flowlogs Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploys virtual network peering to hub /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-vnet-hubspoke Network Fixed: deployIfNotExists Contributor 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH KeyVault SoftDelete should be enabled /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/append-kv-softdelete Key Vault Fixed: append n/a 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH No child resources in Automation Account /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-aa-child-resources Automation Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Public network access on AKS API should be disabled /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-aks Kubernetes Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Public network access on Azure SQL Database should be disabled /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-sql SQL Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Public network access onStorage accounts should be disabled /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-storage Storage Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Public network access should be disabled for CosmosDB /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-cosmosdb SQL Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-15 15:15:07 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH Public network access should be disabled for KeyVault /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-keyvault Key Vault Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Public network access should be disabled for MariaDB /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-mariadb SQL Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Public network access should be disabled for MySQL /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-mysql SQL Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Public network access should be disabled for PostgreSql /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-postgresql SQL Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH RDP access from the Internet should be blocked /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-rdp-from-internet Network Default: Deny; Allowed: Audit,Deny,Disabled n/a 1 (/providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-rdp-from-internet) 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Subnets should have a Network Security Group /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-subnet-without-nsg Network Default: Deny; Allowed: Audit,Deny,Disabled n/a 1 (/providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-subnet-without-nsg) 0 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Download CSV semicolon | comma
Policy DisplayName PolicyId
KeyVault SoftDelete should be enabled /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/append-kv-softdelete
No child resources in Automation Account /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-aa-child-resources
Application Gateway should be deployed with WAF enabled /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-appgw-without-waf
Deny vNet peering /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-erpeering
Deny the creation of private DNS /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-private-dns-zones
Deny the creation of public IP /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicip
Deploy a default budget on subscriptions /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-budget
Deploy an Azure DDoS Protection Standard plan /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-ddosprotection
Deploy DNS Zone Group for Storage-Blob Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-blob-privateendpoint
Deploy DNS Zone Group for Storage-File Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-file-privateendpoint
Deploy DNS Zone Group for Key Vault Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-keyvault-privateendpoint
Deploy DNS Zone Group for Storage-Queue Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-queue-privateendpoint
Deploy DNS Zone Group for SQL Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-sql-privateendpoint
Deploy DNS Zone Group for Storage-Blob Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-table-privateendpoint
Deploy Azure Firewall Manager policy in the subscription /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-firewallpolicy
Deploy Virtual Network to be used as hub virtual network in desired region /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-hub
Deploy the configurations to the Log Analytics in the subscription /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-la-config
Deploys NSG flow logs and traffic analytics /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-nsg-flowlogs
Deploy Virtual Hub network with Virtual Wan and Gateway and Firewall configured. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-vhub
Deploy spoke network with configuration to hub network based on ipam configuration object /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-vnet
Deploys virtual network peering to hub /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-vnet-hubspoke
Deploy the Virtual WAN in the specific region /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-vwan
Deploy Windows Domain Join Extension with keyvault configuration /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-windows-domainjoin
Create NSG Rule /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/providers/microsoft.authorization/policydefinitions/4e7e976d-d94c-47a3-a534-392c641cecd8
Download CSV semicolon | comma
Scope ScopeId PolicySet DisplayName PolicySetId Category Unique assignments Policies used in PolicySet CreatedOn CreatedBy UpdatedOn UpdatedBy
Mg ESJH Deploy Diagnostic Settings to Azure Services /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics Monitoring 1 (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag) 55 (Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-analysisservice), Deploy Diagnostic Settings for API Management to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-apimgmt), Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-webserverfarm), Deploy Diagnostic Settings for App Service to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-website), Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-applicationgateway), Deploy Diagnostic Settings for Automation to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-aa), Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-datalakestore), Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-function), Deploy Diagnostic Settings for Batch to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-batch), Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-cdnendpoints), Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-cognitiveservices), Deploy Diagnostic Settings for Container Instances to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-aci), Deploy Diagnostic Settings for Container Registry to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-acr), Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-cosmosdb), Deploy Diagnostic Settings for Data Factory to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-datafactory), Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-dlanalytics), Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-mysql), Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-postgresql), Deploy Diagnostic Settings for Databricks to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-databricks), Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventgridsub), Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventgridsystemtopic), Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventgridtopic), Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventhub), Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-expressroute), Deploy Diagnostic Settings for Firewall to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-firewall), Deploy Diagnostic Settings for Front Door to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-frontdoor), Deploy Diagnostic Settings for HDInsight to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-hdinsight), Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-iothub), Deploy Diagnostic Settings for Key Vault to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-keyvault), Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-aks), Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-loadbalancer), Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-logicappsise), Deploy Diagnostic Settings for Logic Apps Workflow runtime to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-logicappswf), Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-mlworkspace), Deploy Diagnostic Settings for MariaDB to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-mariadb), Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-nic), Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-networksecuritygroups), Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-powerbiembedded), Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-publicip), Deploy Diagnostic Settings for Recovery Services vaults to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-recoveryvault), Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-rediscache), Deploy Diagnostic Settings for Relay to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-relay), Deploy Diagnostic Settings for Search Services to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-searchservices), Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-servicebus), Deploy Diagnostic Settings for SignalR to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-signalr), Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-sqldbs), Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-sqlelasticpools), Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-sqlmi), Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-streamanalytics), Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-timeseriesinsights), Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-trafficmanager), Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-vmss), Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-vm), Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-virtualnetwork), Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-vnetgw)) 2021-01-10 20:57:40 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Deploy SQL Database built-in SQL security configuration /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-sql-security SQL 0 4 (Deploy SQL database auditing settings (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-auditingsettings), Deploy SQL Database security Alert Policies configuration with email admin accounts (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-securityalertpolicies), Deploy SQL Database Transparent Data Encryption (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-tde), Deploy SQL Database vulnerability Assessments (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-vulnerabilityassessments)) 2021-01-10 20:57:40 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH Public network access should be disabled for PAAS services /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints Network 0 8 (Public network access on AKS API should be disabled (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-aks), Public network access on Azure SQL Database should be disabled (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-sql), Public network access onStorage accounts should be disabled (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-storage), Public network access should be disabled for CosmosDB (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-cosmosdb), Public network access should be disabled for KeyVault (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-keyvault), Public network access should be disabled for MariaDB (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-mariadb), Public network access should be disabled for MySQL (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-mysql), Public network access should be disabled for PostgreSql (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-postgresql)) 2021-01-10 20:57:40 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Download CSV semicolon | comma
PolicySet DisplayName PolicySetId
Public network access should be disabled for PAAS services /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints
Deploy SQL Database built-in SQL security configuration /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-sql-security

0 PolicySets / deprecated Built-in Policy

Download CSV semicolon | comma
Policy Assignment DisplayName Policy AssignmentId Policy/PolicySet PolicySet DisplayName PolicySetId Policy DisplayName PolicyId Deprecated Property
testDeprecatedAssignment /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/microsoft.authorization/policyassignments/bcdd1466e4fc5114b6e5f13d Policy n/a n/a [Deprecated]: Function App should only be accessible over HTTPS /providers/microsoft.authorization/policydefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55 True
Download CSV semicolon | comma
Mg/Sub Management Group Id Management Group Name SubscriptionId Subscription Name ResourceGroup ResourceName / ResourceType DisplayName Category ExpiresOn (UTC) Id Policy AssignmentId
MG ESJH-sandboxes ESJH-sandboxes ESJH-sandboxes - ASC-Monitoring Waiver expired 2021-02-04 23:00:00 /providers/Microsoft.Management/managementGroups/ESJH-sandboxes/providers/Microsoft.Authorization/policyExemptions/02752b36ec214097999f6b9b /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone landingZone - ASC-Monitoring Waiver expired 2021-02-03 23:00:00 /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/policyExemptions/95e48160397b4d21ac96d7ca /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring
Download CSV semicolon | comma
*Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Scope Management Group Id Management Group Name SubscriptionId Subscription Name Inheritance ScopeExcluded Exemption applies Policy/Set DisplayName Policy/Set Description Policy/SetId Policy/Set Type Category Effect Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName Assignment Description AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
Mg ESJH ESJH thisScope Mg false false Azure Security Benchmark The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 PolicySet BuiltIn Security Center n/a Default 22 16 12 0 0 none ASC-Monitoring ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH ESJH thisScope Mg false false Deploy Azure Defender settings in Azure Security Center. Deploys the Azure Defender settings in Azure Security Center for the specific services. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Policy Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 1 0 2 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH ESJH thisScope Mg false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace Deploys the diagnostic settings for Activity Log to stream to a Log Analytics workspace when any Activity Log which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with category enabled. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Policy Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 1 0 2 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH ESJH thisScope Mg false false Configure Log Analytics agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH ESJH thisScope Mg false false Deploy Diagnostic Settings to Azure Services This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics PolicySet Custom Monitoring n/a logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 4 0 7 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH ESJH thisScope Mg false false Enable Azure Monitor for VMs Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter. /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring Deploy-VM-Monitoring v2 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg ESJH ESJH thisScope Mg false false Enable Azure Monitor for Virtual Machine Scale Sets Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH ESJH thisScope Mg false false Configure Log Analytics agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH false false Azure Security Benchmark The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 PolicySet BuiltIn Security Center n/a Default 0 0 0 0 0 none ASC-Monitoring ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. Deploys the Azure Defender settings in Azure Security Center for the specific services. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Policy Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace Deploys the diagnostic settings for Activity Log to stream to a Log Analytics workspace when any Activity Log which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with category enabled. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Policy Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH false false Deploy Diagnostic Settings to Azure Services This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics PolicySet Custom Monitoring n/a logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH false false Enable Azure Monitor for VMs Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter. /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring Deploy-VM-Monitoring v2 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH false false Enable Azure Monitor for Virtual Machine Scale Sets Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones thisScope Mg false false Network interfaces should disable IP forwarding This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. /providers/microsoft.authorization/policydefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900 Policy BuiltIn Network deny Default 0 0 0 0 0 none Deny-IP-Forwarding Deny-IP-Forwarding /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-ip-forwarding n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones thisScope Mg false false Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. /providers/microsoft.authorization/policydefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Policy BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Deny-Privileged-Escalations-AKS Deny-Privileged-Escalations-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-priv-esc-aks n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones thisScope Mg false false Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. /providers/microsoft.authorization/policydefinitions/95edb821-ddaf-4404-9732-666045e056b4 Policy BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Deny-Privileged-Containers-AKS Deny-Privileged-Containers-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-privileged-aks n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones thisScope Mg false false RDP access from the Internet should be blocked This policy denies any network security rule that allows RDP access from Internet /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-rdp-from-internet Policy Custom Network Deny Default 0 0 0 0 0 none Deny-RDP-from-Internet Deny-RDP-from-Internet /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-rdp-from-internet n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones thisScope Mg false false Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 Policy BuiltIn Storage Audit Default 0 0 0 0 0 none Enforce-Secure-Storage Enforce-Secure-Storage /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-storage-http n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-01-25 22:26:59 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones thisScope Mg false false Subnets should have a Network Security Group This policy denies the creation of a subsnet with out an Network Security Group. NSG help to protect traffic across subnet-level. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-subnet-without-nsg Policy Custom Network Deny Default 1 0 1 0 0 none Deny-Subnet-Without-Nsg Deny-Subnet-Without-Nsg /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-subnet-without-nsg n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones thisScope Mg false false Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. /providers/microsoft.authorization/policydefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7 Policy BuiltIn Kubernetes deployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345) Deploy-AKS-Policy Deploy-AKS-Policy /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-aks-policy n/a 2021-01-10 20:58:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones thisScope Mg false false Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. /providers/microsoft.authorization/policydefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 Policy BuiltIn SQL AuditIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6) Deploy-SQL-Audit Deploy-SQL-Audit /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-sql-db-auditing n/a 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones thisScope Mg false false Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. /providers/microsoft.authorization/policydefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Policy BuiltIn Backup deployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5) Deploy-VM-Backup Deploy-VM-Backup /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-vm-backup n/a 2021-01-10 20:58:34 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones thisScope Mg false false Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc /providers/microsoft.authorization/policydefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Policy BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Enforce-Https-Ingress-AKS Enforce-Https-Ingress-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-aks-https n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones thisScope Mg false false Deploy SQL DB transparent data encryption Enables transparent data encryption on SQL databases /providers/microsoft.authorization/policydefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f Policy BuiltIn SQL DeployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f) Deploy-SQL-Security Deploy-SQL-Security /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-sql-encryption n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones inherited ESJH false false Azure Security Benchmark The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 PolicySet BuiltIn Security Center n/a Default 21 17 8 0 0 none ASC-Monitoring ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. Deploys the Azure Defender settings in Azure Security Center for the specific services. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Policy Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace Deploys the diagnostic settings for Activity Log to stream to a Log Analytics workspace when any Activity Log which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with category enabled. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Policy Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones inherited ESJH false false Deploy Diagnostic Settings to Azure Services This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics PolicySet Custom Monitoring n/a logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 3 0 4 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones inherited ESJH false false Enable Azure Monitor for VMs Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter. /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring Deploy-VM-Monitoring v2 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg ESJH-landingzones ESJH-landingzones inherited ESJH false false Enable Azure Monitor for Virtual Machine Scale Sets Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-platform ESJH-platform inherited ESJH false false Azure Security Benchmark The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 PolicySet BuiltIn Security Center n/a Default 15 11 4 0 0 none ASC-Monitoring ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-platform ESJH-platform inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. Deploys the Azure Defender settings in Azure Security Center for the specific services. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Policy Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-platform ESJH-platform inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace Deploys the diagnostic settings for Activity Log to stream to a Log Analytics workspace when any Activity Log which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with category enabled. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Policy Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-platform ESJH-platform inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-platform ESJH-platform inherited ESJH false false Deploy Diagnostic Settings to Azure Services This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics PolicySet Custom Monitoring n/a logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 2 0 3 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-platform ESJH-platform inherited ESJH false false Enable Azure Monitor for VMs Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter. /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring Deploy-VM-Monitoring v2 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg ESJH-platform ESJH-platform inherited ESJH false false Enable Azure Monitor for Virtual Machine Scale Sets Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-platform ESJH-platform inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-sandboxes ESJH-sandboxes thisScope Mg false false Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d Policy BuiltIn Compute audit Default 0 0 0 0 0 none Audit VMs that do not use managed disks no description given /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b1 Joe Dalton 2021-05-05 19:52:10 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-sandboxes ESJH-sandboxes thisScope Mg false false Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d Policy BuiltIn Compute audit Default 0 0 0 0 0 none APA Audit VMs that do not use managed disks no description given /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b2 n/a 2021-07-06 09:42:48 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg ESJH-sandboxes ESJH-sandboxes thisScope Mg false false Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d Policy BuiltIn Compute audit Default 0 0 0 0 0 none APA2 Audit VMs that do not use managed disks no description given /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b3 n/a 2021-07-06 10:32:34 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg ESJH-sandboxes ESJH-sandboxes thisScope Mg false false Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d Policy BuiltIn Compute audit Default 0 0 0 0 0 none APA3 Audit VMs that do not use managed disks no description given /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b4 n/a 2021-07-06 11:59:31 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH false false Azure Security Benchmark The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 PolicySet BuiltIn Security Center n/a Default 0 0 0 0 0 none ASC-Monitoring ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. Deploys the Azure Defender settings in Azure Security Center for the specific services. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Policy Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace Deploys the diagnostic settings for Activity Log to stream to a Log Analytics workspace when any Activity Log which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with category enabled. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Policy Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH false false Deploy Diagnostic Settings to Azure Services This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics PolicySet Custom Monitoring n/a logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH false false Enable Azure Monitor for VMs Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter. /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring Deploy-VM-Monitoring v2 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH false false Enable Azure Monitor for Virtual Machine Scale Sets Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg CUST_T5 CUST_T5 atz thisScope Mg false false Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d Policy BuiltIn Compute audit Default 0 0 0 0 0 none APA Audit VMs that do not use managed disks no description given /providers/microsoft.management/managementgroups/cust_t5/providers/microsoft.authorization/policyassignments/aa4f4fdfd3b04fb3962a9da9 Joe Dalton 2021-07-15 15:16:07 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg CUST_T5 CUST_T5 atz inherited ESJH-sandboxes false false Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d Policy BuiltIn Compute audit Default 0 0 0 0 0 none Audit VMs that do not use managed disks no description given /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b1 Joe Dalton 2021-05-05 19:52:10 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg CUST_T5 CUST_T5 atz inherited ESJH-sandboxes false false Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d Policy BuiltIn Compute audit Default 0 0 0 0 0 none APA Audit VMs that do not use managed disks no description given /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b2 n/a 2021-07-06 09:42:48 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg CUST_T5 CUST_T5 atz inherited ESJH-sandboxes false false Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d Policy BuiltIn Compute audit Default 0 0 0 0 0 none APA2 Audit VMs that do not use managed disks no description given /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b3 n/a 2021-07-06 10:32:34 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg CUST_T5 CUST_T5 atz inherited ESJH-sandboxes false false Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d Policy BuiltIn Compute audit Default 0 0 0 0 0 none APA3 Audit VMs that do not use managed disks no description given /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b4 n/a 2021-07-06 11:59:31 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg CUST_T5 CUST_T5 atz inherited ESJH false false Azure Security Benchmark The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 PolicySet BuiltIn Security Center n/a Default 0 0 0 0 0 none ASC-Monitoring ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg CUST_T5 CUST_T5 atz inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. Deploys the Azure Defender settings in Azure Security Center for the specific services. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Policy Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg CUST_T5 CUST_T5 atz inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace Deploys the diagnostic settings for Activity Log to stream to a Log Analytics workspace when any Activity Log which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with category enabled. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Policy Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg CUST_T5 CUST_T5 atz inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg CUST_T5 CUST_T5 atz inherited ESJH false false Deploy Diagnostic Settings to Azure Services This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics PolicySet Custom Monitoring n/a logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg CUST_T5 CUST_T5 atz inherited ESJH false false Enable Azure Monitor for VMs Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter. /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring Deploy-VM-Monitoring v2 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg CUST_T5 CUST_T5 atz inherited ESJH false false Enable Azure Monitor for Virtual Machine Scale Sets Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg CUST_T5 CUST_T5 atz inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management thisScope Mg false false Deploy the Log Analytics in the subscription Deploys Log Analytics and Automation account to the subscription where the policy is assigned. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-log-analytics Policy Custom Monitoring DeployIfNotExists automationAccountName=ESJH-a-f28ba982-5ed0-4033-9bdf-e45e4b5df466, automationRegion=westeurope, retentionInDays=30, rgName=ESJH-mgmt, workspaceName=ESJH-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, workspaceRegion=westeurope Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/b95d2309-e3d0-5961-bef8-a3e75deca49a) Deploy-Log-Analytics Deploy-Log-Analytics /providers/microsoft.management/managementgroups/esjh-management/providers/microsoft.authorization/policyassignments/deploy-log-analytics n/a 2021-01-10 20:58:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management inherited ESJH false false Azure Security Benchmark The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 PolicySet BuiltIn Security Center n/a Default 15 11 4 0 0 none ASC-Monitoring ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. Deploys the Azure Defender settings in Azure Security Center for the specific services. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Policy Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace Deploys the diagnostic settings for Activity Log to stream to a Log Analytics workspace when any Activity Log which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with category enabled. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Policy Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management inherited ESJH false false Deploy Diagnostic Settings to Azure Services This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics PolicySet Custom Monitoring n/a logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 2 0 3 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management inherited ESJH false false Enable Azure Monitor for VMs Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter. /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring Deploy-VM-Monitoring v2 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg ESJH-management ESJH-management inherited ESJH false false Enable Azure Monitor for Virtual Machine Scale Sets Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH-management false false Deploy the Log Analytics in the subscription Deploys Log Analytics and Automation account to the subscription where the policy is assigned. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-log-analytics Policy Custom Monitoring DeployIfNotExists automationAccountName=ESJH-a-f28ba982-5ed0-4033-9bdf-e45e4b5df466, automationRegion=westeurope, retentionInDays=30, rgName=ESJH-mgmt, workspaceName=ESJH-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, workspaceRegion=westeurope Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/b95d2309-e3d0-5961-bef8-a3e75deca49a) Deploy-Log-Analytics Deploy-Log-Analytics /providers/microsoft.management/managementgroups/esjh-management/providers/microsoft.authorization/policyassignments/deploy-log-analytics n/a 2021-01-10 20:58:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH false false Azure Security Benchmark The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 PolicySet BuiltIn Security Center n/a Default 15 11 4 0 0 none ASC-Monitoring ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. Deploys the Azure Defender settings in Azure Security Center for the specific services. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Policy Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace Deploys the diagnostic settings for Activity Log to stream to a Log Analytics workspace when any Activity Log which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with category enabled. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Policy Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH false false Deploy Diagnostic Settings to Azure Services This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics PolicySet Custom Monitoring n/a logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 2 0 3 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH false false Enable Azure Monitor for VMs Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter. /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring Deploy-VM-Monitoring v2 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Sub ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH false false Enable Azure Monitor for Virtual Machine Scale Sets Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management thisScope Sub false false Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. /providers/microsoft.authorization/policysetdefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 PolicySet BuiltIn Security Center n/a Default 0 0 0 0 0 none ASC DataProtection (subscription: f28ba982-5ed0-4033-9bdf-e45e4b5df466) This policy assignment was automatically created by Azure Security Center /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenter Security Center 2021-01-10 21:02:38 ObjectType: SP App EXT, ObjectDisplayName: Windows Azure Security Resource Provider, ObjectSignInName: n/a, ObjectId: 9ac4e379-ffb1-4e2c-ac89-3752d019abfd (rp)
Mg ESJH-online ESJH-online inherited ESJH-landingzones false false Network interfaces should disable IP forwarding This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. /providers/microsoft.authorization/policydefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900 Policy BuiltIn Network deny Default 0 0 0 0 0 none Deny-IP-Forwarding Deny-IP-Forwarding /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-ip-forwarding n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH-landingzones false false Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. /providers/microsoft.authorization/policydefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Policy BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Deny-Privileged-Escalations-AKS Deny-Privileged-Escalations-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-priv-esc-aks n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH-landingzones false false Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. /providers/microsoft.authorization/policydefinitions/95edb821-ddaf-4404-9732-666045e056b4 Policy BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Deny-Privileged-Containers-AKS Deny-Privileged-Containers-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-privileged-aks n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH-landingzones false false RDP access from the Internet should be blocked This policy denies any network security rule that allows RDP access from Internet /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-rdp-from-internet Policy Custom Network Deny Default 0 0 0 0 0 none Deny-RDP-from-Internet Deny-RDP-from-Internet /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-rdp-from-internet n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH-landingzones false false Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 Policy BuiltIn Storage Audit Default 0 0 0 0 0 none Enforce-Secure-Storage Enforce-Secure-Storage /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-storage-http n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-01-25 22:26:59 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH-landingzones false false Subnets should have a Network Security Group This policy denies the creation of a subsnet with out an Network Security Group. NSG help to protect traffic across subnet-level. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-subnet-without-nsg Policy Custom Network Deny Default 1 0 1 0 0 none Deny-Subnet-Without-Nsg Deny-Subnet-Without-Nsg /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-subnet-without-nsg n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH-landingzones false false Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. /providers/microsoft.authorization/policydefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7 Policy BuiltIn Kubernetes deployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345) Deploy-AKS-Policy Deploy-AKS-Policy /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-aks-policy n/a 2021-01-10 20:58:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH-landingzones false false Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. /providers/microsoft.authorization/policydefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 Policy BuiltIn SQL AuditIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6) Deploy-SQL-Audit Deploy-SQL-Audit /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-sql-db-auditing n/a 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH-landingzones false false Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. /providers/microsoft.authorization/policydefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Policy BuiltIn Backup deployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5) Deploy-VM-Backup Deploy-VM-Backup /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-vm-backup n/a 2021-01-10 20:58:34 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH-landingzones false false Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc /providers/microsoft.authorization/policydefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Policy BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Enforce-Https-Ingress-AKS Enforce-Https-Ingress-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-aks-https n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH-landingzones false false Deploy SQL DB transparent data encryption Enables transparent data encryption on SQL databases /providers/microsoft.authorization/policydefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f Policy BuiltIn SQL DeployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f) Deploy-SQL-Security Deploy-SQL-Security /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-sql-encryption n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH false false Azure Security Benchmark The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 PolicySet BuiltIn Security Center n/a Default 21 17 8 0 0 none ASC-Monitoring ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. Deploys the Azure Defender settings in Azure Security Center for the specific services. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Policy Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace Deploys the diagnostic settings for Activity Log to stream to a Log Analytics workspace when any Activity Log which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with category enabled. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Policy Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH false false Deploy Diagnostic Settings to Azure Services This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics PolicySet Custom Monitoring n/a logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 3 0 4 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH false false Enable Azure Monitor for VMs Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter. /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring Deploy-VM-Monitoring v2 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg ESJH-online ESJH-online inherited ESJH false false Enable Azure Monitor for Virtual Machine Scale Sets Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones false false Network interfaces should disable IP forwarding This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. /providers/microsoft.authorization/policydefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900 Policy BuiltIn Network deny Default 0 0 0 0 0 none Deny-IP-Forwarding Deny-IP-Forwarding /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-ip-forwarding n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones false false Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. /providers/microsoft.authorization/policydefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Policy BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Deny-Privileged-Escalations-AKS Deny-Privileged-Escalations-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-priv-esc-aks n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones false false Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. /providers/microsoft.authorization/policydefinitions/95edb821-ddaf-4404-9732-666045e056b4 Policy BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Deny-Privileged-Containers-AKS Deny-Privileged-Containers-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-privileged-aks n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones false false RDP access from the Internet should be blocked This policy denies any network security rule that allows RDP access from Internet /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-rdp-from-internet Policy Custom Network Deny Default 0 0 0 0 0 none Deny-RDP-from-Internet Deny-RDP-from-Internet /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-rdp-from-internet n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones true false Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 Policy BuiltIn Storage Audit Default 0 0 0 0 0 none Enforce-Secure-Storage Enforce-Secure-Storage /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-storage-http n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-01-25 22:26:59 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones false false Subnets should have a Network Security Group This policy denies the creation of a subsnet with out an Network Security Group. NSG help to protect traffic across subnet-level. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-subnet-without-nsg Policy Custom Network Deny Default 1 0 1 0 0 none Deny-Subnet-Without-Nsg Deny-Subnet-Without-Nsg /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-subnet-without-nsg n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones false false Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. /providers/microsoft.authorization/policydefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7 Policy BuiltIn Kubernetes deployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345) Deploy-AKS-Policy Deploy-AKS-Policy /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-aks-policy n/a 2021-01-10 20:58:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones false false Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. /providers/microsoft.authorization/policydefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 Policy BuiltIn SQL AuditIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6) Deploy-SQL-Audit Deploy-SQL-Audit /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-sql-db-auditing n/a 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones false false Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. /providers/microsoft.authorization/policydefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Policy BuiltIn Backup deployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5) Deploy-VM-Backup Deploy-VM-Backup /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-vm-backup n/a 2021-01-10 20:58:34 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones false false Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc /providers/microsoft.authorization/policydefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Policy BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Enforce-Https-Ingress-AKS Enforce-Https-Ingress-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-aks-https n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones false false Deploy SQL DB transparent data encryption Enables transparent data encryption on SQL databases /providers/microsoft.authorization/policydefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f Policy BuiltIn SQL DeployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f) Deploy-SQL-Security Deploy-SQL-Security /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-sql-encryption n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH false false Azure Security Benchmark The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 PolicySet BuiltIn Security Center n/a Default 21 17 8 0 0 none ASC-Monitoring ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. Deploys the Azure Defender settings in Azure Security Center for the specific services. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Policy Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace Deploys the diagnostic settings for Activity Log to stream to a Log Analytics workspace when any Activity Log which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with category enabled. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Policy Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH false false Deploy Diagnostic Settings to Azure Services This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics PolicySet Custom Monitoring n/a logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 3 0 4 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH false false Enable Azure Monitor for VMs Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter. /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring Deploy-VM-Monitoring v2 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH false false Enable Azure Monitor for Virtual Machine Scale Sets Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 Policy BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub false false [Deprecated]: Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. /providers/microsoft.authorization/policydefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55 Policy BuiltIn Security Center AuditIfNotExists Default 0 0 0 0 0 none testDeprecatedAssignment no description given /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/microsoft.authorization/policyassignments/bcdd1466e4fc5114b6e5f13d n/a 2021-07-18 15:09:28 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub false false Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. /providers/microsoft.authorization/policydefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 Policy BuiltIn Compute auditIfNotExists Default 0 0 0 0 0 none Audit virtual machines without disaster recovery configured no description given /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/microsoft.authorization/policyassignments/bcee1466e4fc4114b5e5f03d Joe Dalton 2021-06-16 16:07:53 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub false false Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. /providers/microsoft.authorization/policysetdefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 PolicySet BuiltIn Security Center n/a Default 0 0 0 0 0 none ASC DataProtection (subscription: 4dfa3b56-55bf-4059-802a-24e44a4fb60f) This policy assignment was automatically created by Azure Security Center /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenter Security Center 2021-01-10 21:02:17 ObjectType: SP App EXT, ObjectDisplayName: Windows Azure Security Resource Provider, ObjectSignInName: n/a, ObjectId: 9ac4e379-ffb1-4e2c-ac89-3752d019abfd (rp)
Download CSV semicolon | comma
Role Name RoleId Assignable Scopes Data CreatedOn CreatedBy UpdatedOn UpdatedBy
CustRole_P_9982_176 6b44d6da-5658-444e-a36d-ce64b14011ab 1 (/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466) false 2021-05-18 18:03:13 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a 2021-05-18 18:23:40 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
CustRole_P_9982_178 fc14b032-e6e8-440b-a328-f55918e8c83e 2 (/subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f, /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466) false 2021-06-16 10:10:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Task4638Role 8808ebf9-4602-4635-a9b8-6c0f002695be 1 (/subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f) false 2021-01-25 22:22:09 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
testRole3366 f548f1ea-48f1-4a74-9061-b5dacacf514a 1 (/subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f) false 2021-07-18 15:22:38 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a 2021-07-19 19:45:44 ObjectType: User Member, ObjectDisplayName: Jack Dalton, ObjectSignInName: JackDalton@AzGovViz.onmicrosoft.com, ObjectId: c64d2776-a210-428f-b54f-a4a5dd7f8ef8
testRole3367 f7028056-3a12-43ac-a499-0d1844a02240 1 (/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466) false 2021-08-04 15:34:15 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
testRole3368 08a2d627-a94e-461e-8350-432b457d00a3 1 (/providers/microsoft.management/managementgroups/esjhdev) false 2021-08-04 15:36:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Download CSV semicolon | comma
Role Name RoleId Assignable Scopes
CustRole_P_9982_176 6b44d6da-5658-444e-a36d-ce64b14011ab 1 (/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466)
CustRole_P_9982_178 fc14b032-e6e8-440b-a328-f55918e8c83e 2 (/subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f, /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466)
Task4638Role 8808ebf9-4602-4635-a9b8-6c0f002695be 1 (/subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f)
testRole3366 f548f1ea-48f1-4a74-9061-b5dacacf514a 1 (/subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f)
testRole3367 f7028056-3a12-43ac-a499-0d1844a02240 1 (/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466)
testRole3368 08a2d627-a94e-461e-8350-432b457d00a3 1 (/providers/microsoft.management/managementgroups/esjhdev)

0 Orphaned Role assignments (Tenant wide)

Download CSV semicolon | comma
*Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Scope Management Group Id Management Group Name SubscriptionId Subscription Name Assignment Scope Role Role Id Role Type Data Identity Displayname Identity SignInName Identity ObjectId Identity Type Applicability Applies through membership Group Details Role AssignmentId Related Policy Assignment CreatedOn CreatedBy
Ten 896470ca-9c6e-4176-9b38-5a655403c638 Tenant Root Group inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten 896470ca-9c6e-4176-9b38-5a655403c638 Tenant Root Group inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg 896470ca-9c6e-4176-9b38-5a655403c638 Tenant Root Group thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg 896470ca-9c6e-4176-9b38-5a655403c638 Tenant Root Group thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg 896470ca-9c6e-4176-9b38-5a655403c638 Tenant Root Group thisScope MG Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg 896470ca-9c6e-4176-9b38-5a655403c638 Tenant Root Group thisScope MG Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH ESJH inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH ESJH inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH ESJH inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH ESJH inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten ESJH ESJH inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten ESJH ESJH inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH ESJH thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH ESJH thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH ESJH thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH ESJH thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH ESJH thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH ESJH thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH ESJH thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH ESJH thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJHDEV ESJHDEV inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJHDEV ESJHDEV inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJHDEV ESJHDEV inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJHDEV ESJHDEV inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten ESJHDEV ESJHDEV inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten ESJHDEV ESJHDEV inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJHDEV ESJHDEV thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/ESJHDEV/providers/Microsoft.Authorization/roleAssignments/983c43f8-1c29-4c73-9816-b69d38226be4 none 2021-07-06 13:09:24 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJHQA ESJHQA inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJHQA ESJHQA inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJHQA ESJHQA inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJHQA ESJHQA inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten ESJHQA ESJHQA inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten ESJHQA ESJHQA inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJHQA ESJHQA thisScope MG Security Reader 39bc4728-0917-49c7-9d2c-d95423bc2eb4 Builtin false group04NoMembers n/a 5f90ced2-7d5e-493b-9db6-862b9332e20a Group direct 0 (Usr: 0, Grp: 0, SP: 0) /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/e010f291-49a9-4d4b-be4d-55c6aeb164cd none 2021-08-06 09:30:11 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJHQA ESJHQA thisScope MG Log Analytics Reader 73c42c96-874c-492b-b04d-ab87d138a893 Builtin false group04NoMembers n/a 5f90ced2-7d5e-493b-9db6-862b9332e20a Group indirect group05OneMemberGroupWithNoMembers (c57f8838-1603-4932-b3c4-9572feea9173) 1 (Usr: 0, Grp: 1, SP: 0) /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/fe935a9c-928f-4dec-aafb-54ecc2642cf3 none 2021-08-06 09:30:52 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJHQA ESJHQA thisScope MG Log Analytics Reader 73c42c96-874c-492b-b04d-ab87d138a893 Builtin false group05OneMemberGroupWithNoMembers n/a c57f8838-1603-4932-b3c4-9572feea9173 Group direct 1 (Usr: 0, Grp: 1, SP: 0) /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/fe935a9c-928f-4dec-aafb-54ecc2642cf3 none 2021-08-06 09:30:52 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJHQA ESJHQA thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/9f1fe9df-5a9c-46ca-b881-154ecd19eaa7 none 2021-07-06 10:02:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJH-decommissioned ESJH-decommissioned inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-decommissioned ESJH-decommissioned inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-decommissioned ESJH-decommissioned inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-decommissioned ESJH-decommissioned inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-decommissioned ESJH-decommissioned inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Ten ESJH-decommissioned ESJH-decommissioned inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten ESJH-decommissioned ESJH-decommissioned inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-decommissioned ESJH-decommissioned thisScope MG Security Reader 39bc4728-0917-49c7-9d2c-d95423bc2eb4 Builtin false Jesse James Jesse.James@AzGovViz.onmicrosoft.com 6f71f3b7-98e1-4821-8116-13b41476ef84 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-decommissioned/providers/Microsoft.Authorization/roleAssignments/9bdf3098-8e69-4e98-bd8c-22b991783b10 none 2021-06-16 09:52:59 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-decommissioned ESJH-decommissioned thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-decommissioned/providers/Microsoft.Authorization/roleAssignments/81bb9ace-a96d-47ab-b9a2-8952e655aa0c none 2021-01-10 20:56:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJH-landingzones ESJH-landingzones inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-landingzones ESJH-landingzones inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-landingzones ESJH-landingzones inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-landingzones ESJH-landingzones inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-landingzones ESJH-landingzones inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Ten ESJH-landingzones ESJH-landingzones inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten ESJH-landingzones ESJH-landingzones inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-landingzones ESJH-landingzones thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AKS-Policy n/a fb0a7498-393f-434d-aa93-2acd144f489f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-aks-policy (Deploy Azure Policy Add-on to Azure Kubernetes Service clusters) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-SQL-DB-Auditing n/a 4f3a2551-ea2f-43c6-9623-8950156d19b7 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-sql-db-auditing (Auditing on SQL server should be enabled) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Backup n/a e2511ca5-bcb3-4dbd-9d91-c18590c2a9d2 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-vm-backup (Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy) 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Enforce-SQL-Encryption n/a 34520a11-7b14-46a8-ac34-7d766959460a SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-sql-encryption (Deploy SQL DB transparent data encryption) 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-landingzones ESJH-landingzones thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/093ad67e-4eae-4536-aa0b-da4e09b47d88 none 2021-01-10 20:56:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJH-landingzones ESJH-landingzones thisScope MG Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false 3rdPartyStaff n/a cb036073-f86b-46e1-9726-1eaccb62a678 Group direct 1 (Usr: 1, Grp: 0, SP: 0) /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3b6291a1-fc61-41d8-abff-43d04e35be62 none 2021-01-25 22:02:49 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-landingzones ESJH-landingzones thisScope MG Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Calamity Jane Calamity_Jane_AzGovViz.net#EXT#@AzGovViz.onmicrosoft.com 43b0f5e7-cb78-4e1a-b3da-1239647dfb74 User Guest indirect 3rdPartyStaff (cb036073-f86b-46e1-9726-1eaccb62a678) 1 (Usr: 1, Grp: 0, SP: 0) /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3b6291a1-fc61-41d8-abff-43d04e35be62 none 2021-01-25 22:02:49 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-platform ESJH-platform inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-platform ESJH-platform inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-platform ESJH-platform inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-platform ESJH-platform inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-platform ESJH-platform inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-platform ESJH-platform inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-platform ESJH-platform inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-platform ESJH-platform inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-platform ESJH-platform inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-platform ESJH-platform inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-platform ESJH-platform inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-platform ESJH-platform inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Ten ESJH-platform ESJH-platform inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten ESJH-platform ESJH-platform inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-platform ESJH-platform thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-platform/providers/Microsoft.Authorization/roleAssignments/243cb616-b890-4197-bc2e-98b966ba39f5 none 2021-01-10 20:56:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJH-sandboxes ESJH-sandboxes inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-sandboxes ESJH-sandboxes inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-sandboxes ESJH-sandboxes inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-sandboxes ESJH-sandboxes inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-sandboxes ESJH-sandboxes inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Ten ESJH-sandboxes ESJH-sandboxes inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten ESJH-sandboxes ESJH-sandboxes inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-sandboxes ESJH-sandboxes thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-sandboxes/providers/Microsoft.Authorization/roleAssignments/5c852bb9-bc65-44cb-a7d7-f230589f9c5f none 2021-01-10 20:56:28 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJH-sandboxes ESJH-sandboxes thisScope MG Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-sandboxes/providers/Microsoft.Authorization/roleAssignments/5c852bb9-bc65-44cb-a7d7-f230589f9c11 none 2021-07-05 08:20:09 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg CUST_T5 CUST_T5 atz inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg CUST_T5 CUST_T5 atz inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg CUST_T5 CUST_T5 atz inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg CUST_T5 CUST_T5 atz inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg CUST_T5 CUST_T5 atz inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg CUST_T5 CUST_T5 atz inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg CUST_T5 CUST_T5 atz inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg CUST_T5 CUST_T5 atz inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg CUST_T5 CUST_T5 atz inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg CUST_T5 CUST_T5 atz inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg CUST_T5 CUST_T5 atz inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg CUST_T5 CUST_T5 atz inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg CUST_T5 CUST_T5 atz inherited ESJH-sandboxes Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-sandboxes/providers/Microsoft.Authorization/roleAssignments/5c852bb9-bc65-44cb-a7d7-f230589f9c5f none 2021-01-10 20:56:28 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg CUST_T5 CUST_T5 atz inherited ESJH-sandboxes Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-sandboxes/providers/Microsoft.Authorization/roleAssignments/5c852bb9-bc65-44cb-a7d7-f230589f9c11 none 2021-07-05 08:20:09 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Ten CUST_T5 CUST_T5 atz inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten CUST_T5 CUST_T5 atz inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg CUST_T5 CUST_T5 atz thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/CUST_T5/providers/Microsoft.Authorization/roleAssignments/3c72bcce-6116-4d33-9f8a-927083beee40 none 2021-05-18 18:14:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJH-management ESJH-management inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-management ESJH-management inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-management ESJH-management inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-management ESJH-management inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-management ESJH-management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJH-management ESJH-management inherited ESJH-platform Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-platform/providers/Microsoft.Authorization/roleAssignments/243cb616-b890-4197-bc2e-98b966ba39f5 none 2021-01-10 20:56:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Ten ESJH-management ESJH-management inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten ESJH-management ESJH-management inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-management ESJH-management thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Log-Analytics n/a 2f3b9d0b-e8eb-4197-9cdf-ca6bde5dd3e5 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/b95d2309-e3d0-5961-bef8-a3e75deca49a /providers/microsoft.management/managementgroups/esjh-management/providers/microsoft.authorization/policyassignments/deploy-log-analytics (Deploy the Log Analytics in the subscription) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/84fb757b-e5ed-44e1-92fa-5d2ed6fe5cd1 none 2021-01-10 20:56:58 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH-management Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Log-Analytics n/a 2f3b9d0b-e8eb-4197-9cdf-ca6bde5dd3e5 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/b95d2309-e3d0-5961-bef8-a3e75deca49a /providers/microsoft.management/managementgroups/esjh-management/providers/microsoft.authorization/policyassignments/deploy-log-analytics (Deploy the Log Analytics in the subscription) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH-management Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/84fb757b-e5ed-44e1-92fa-5d2ed6fe5cd1 none 2021-01-10 20:56:58 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited ESJH-platform Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-platform/providers/Microsoft.Authorization/roleAssignments/243cb616-b890-4197-bc2e-98b966ba39f5 none 2021-01-10 20:56:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Ten ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
RG ESJH-management ESJH-management f28ba982-5ed0-4033-9bdf-e45e4b5df466 management thisScope Sub RG Contributor b24988ac-6180-42a0-ab88-20f7382dd24c Builtin false user03 user03@AzGovViz.onmicrosoft.com c472fa07-5319-4f5f-8bcd-00d4162bb8fd User Member direct /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourceGroups/NSG/providers/Microsoft.Authorization/roleAssignments/1fe0074e-959c-4d3e-9478-9dc99a34062a none 2021-05-18 17:59:58 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-online ESJH-online inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-online ESJH-online inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-online ESJH-online inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-online ESJH-online inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-online ESJH-online inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJH-online ESJH-online inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AKS-Policy n/a fb0a7498-393f-434d-aa93-2acd144f489f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-aks-policy (Deploy Azure Policy Add-on to Azure Kubernetes Service clusters) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-SQL-DB-Auditing n/a 4f3a2551-ea2f-43c6-9623-8950156d19b7 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-sql-db-auditing (Auditing on SQL server should be enabled) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Backup n/a e2511ca5-bcb3-4dbd-9d91-c18590c2a9d2 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-vm-backup (Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy) 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Enforce-SQL-Encryption n/a 34520a11-7b14-46a8-ac34-7d766959460a SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-sql-encryption (Deploy SQL DB transparent data encryption) 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/093ad67e-4eae-4536-aa0b-da4e09b47d88 none 2021-01-10 20:56:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJH-online ESJH-online inherited ESJH-landingzones Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false 3rdPartyStaff n/a cb036073-f86b-46e1-9726-1eaccb62a678 Group direct 1 (Usr: 1, Grp: 0, SP: 0) /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3b6291a1-fc61-41d8-abff-43d04e35be62 none 2021-01-25 22:02:49 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-online ESJH-online inherited ESJH-landingzones Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Calamity Jane Calamity_Jane_AzGovViz.net#EXT#@AzGovViz.onmicrosoft.com 43b0f5e7-cb78-4e1a-b3da-1239647dfb74 User Guest indirect 3rdPartyStaff (cb036073-f86b-46e1-9726-1eaccb62a678) 1 (Usr: 1, Grp: 0, SP: 0) /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3b6291a1-fc61-41d8-abff-43d04e35be62 none 2021-01-25 22:02:49 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten ESJH-online ESJH-online inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten ESJH-online ESJH-online inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-online ESJH-online thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-online/providers/Microsoft.Authorization/roleAssignments/06ee6718-e394-4fcf-bbc2-cf358381ff67 none 2021-01-10 20:57:02 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AKS-Policy n/a fb0a7498-393f-434d-aa93-2acd144f489f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-aks-policy (Deploy Azure Policy Add-on to Azure Kubernetes Service clusters) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-SQL-DB-Auditing n/a 4f3a2551-ea2f-43c6-9623-8950156d19b7 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-sql-db-auditing (Auditing on SQL server should be enabled) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Backup n/a e2511ca5-bcb3-4dbd-9d91-c18590c2a9d2 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-vm-backup (Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy) 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Enforce-SQL-Encryption n/a 34520a11-7b14-46a8-ac34-7d766959460a SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-sql-encryption (Deploy SQL DB transparent data encryption) 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/093ad67e-4eae-4536-aa0b-da4e09b47d88 none 2021-01-10 20:56:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false 3rdPartyStaff n/a cb036073-f86b-46e1-9726-1eaccb62a678 Group direct 1 (Usr: 1, Grp: 0, SP: 0) /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3b6291a1-fc61-41d8-abff-43d04e35be62 none 2021-01-25 22:02:49 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-landingzones Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Calamity Jane Calamity_Jane_AzGovViz.net#EXT#@AzGovViz.onmicrosoft.com 43b0f5e7-cb78-4e1a-b3da-1239647dfb74 User Guest indirect 3rdPartyStaff (cb036073-f86b-46e1-9726-1eaccb62a678) 1 (Usr: 1, Grp: 0, SP: 0) /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3b6291a1-fc61-41d8-abff-43d04e35be62 none 2021-01-25 22:02:49 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited ESJH-online Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-online/providers/Microsoft.Authorization/roleAssignments/06ee6718-e394-4fcf-bbc2-cf358381ff67 none 2021-01-10 20:57:02 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Ten ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Ten ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Calamity Jane Calamity_Jane_AzGovViz.net#EXT#@AzGovViz.onmicrosoft.com 43b0f5e7-cb78-4e1a-b3da-1239647dfb74 User Guest indirect group03 (e2390190-219f-419f-bdfa-a9f5cc3698cc) 1 (Usr: 1, Grp: 0, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/6bbd9ae3-1189-40bb-8170-7e8674b79159 none 2021-07-21 10:08:04 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Calamity Jane Calamity_Jane_AzGovViz.net#EXT#@AzGovViz.onmicrosoft.com 43b0f5e7-cb78-4e1a-b3da-1239647dfb74 User Guest direct /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/70e14253-25d3-447f-9356-ac32985062a4 none 2021-07-19 19:31:24 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false group03 n/a e2390190-219f-419f-bdfa-a9f5cc3698cc Group direct 1 (Usr: 1, Grp: 0, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/6bbd9ae3-1189-40bb-8170-7e8674b79159 none 2021-07-21 10:08:04 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub Monitoring Reader 43d0d8ad-25c7-4714-9337-8ba259a9fe05 Builtin false Jolly Jumper JollyJumper@AzGovViz.onmicrosoft.com 192ff2e5-52de-4c93-b220-f9ced74068b0 User Member direct /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/79041f69-fb87-4da7-8676-6431f7ad43a8 none 2021-01-25 22:11:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub Tag Contributor 4a9ae827-6dc8-4573-8ac7-8239d42aa03f Builtin false Tag Bert TagBert@AzGovViz.onmicrosoft.com 9e1643fe-b887-4a53-9071-56801236f719 User Member direct /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/1dd61049-04b7-4058-af49-01f9b83159b2 none 2021-07-22 08:57:09 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/2754101a-9df1-48e7-ae2a-836f23710ed7 none 2021-07-19 19:43:09 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/68463d6a-5bd9-4d2b-8607-cb12a73d3c53 none 2021-05-13 12:05:47 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false group00 n/a c1916fdd-08d8-439e-a329-d540c6f002a8 Group direct 6 (Usr: 4, Grp: 2, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/06e10e98-b109-40c5-bf73-691605bf66e3 none 2021-05-15 06:39:30 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false group01 n/a 66f4e0b3-13af-4c93-ad43-67042ed760e5 Group indirect group00 (c1916fdd-08d8-439e-a329-d540c6f002a8) 6 (Usr: 4, Grp: 2, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/06e10e98-b109-40c5-bf73-691605bf66e3 none 2021-05-15 06:39:30 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false group02 n/a 903a7f87-c183-4962-8983-c793a77f18bf Group indirect group00 (c1916fdd-08d8-439e-a329-d540c6f002a8) 6 (Usr: 4, Grp: 2, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/06e10e98-b109-40c5-bf73-691605bf66e3 none 2021-05-15 06:39:30 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false user00 user00@AzGovViz.onmicrosoft.com 05687e51-8ebb-4a06-9eae-9e9786f79090 User Member indirect group00 (c1916fdd-08d8-439e-a329-d540c6f002a8) 6 (Usr: 4, Grp: 2, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/06e10e98-b109-40c5-bf73-691605bf66e3 none 2021-05-15 06:39:30 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false user01 user01@AzGovViz.onmicrosoft.com 7dd8e665-9277-4bbb-94f9-ff278ceff8c0 User Member indirect group00 (c1916fdd-08d8-439e-a329-d540c6f002a8) 6 (Usr: 4, Grp: 2, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/06e10e98-b109-40c5-bf73-691605bf66e3 none 2021-05-15 06:39:30 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false user02 user02@AzGovViz.onmicrosoft.com cb317eea-8af2-4cb8-bde5-516e0b951f1b User Member indirect group00 (c1916fdd-08d8-439e-a329-d540c6f002a8) 6 (Usr: 4, Grp: 2, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/06e10e98-b109-40c5-bf73-691605bf66e3 none 2021-05-15 06:39:30 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false user03 user03@AzGovViz.onmicrosoft.com c472fa07-5319-4f5f-8bcd-00d4162bb8fd User Member indirect group00 (c1916fdd-08d8-439e-a329-d540c6f002a8) 6 (Usr: 4, Grp: 2, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/06e10e98-b109-40c5-bf73-691605bf66e3 none 2021-05-15 06:39:30 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Download CSV semicolon | comma
Classic Role Name Identity Identity Type Subscriptions
ServiceAdministrator;AccountAdministrator its.joe.dalton@azgovviz.net User 2

0 Custom Role definitions Owner permissions (Tenant wide)

Download CSV semicolon | comma
Role Name RoleId Role Assignment ServicePrincipal (ObjId) Impacted Mg/Sub
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b AzOps (c295384a-33d9-475e-abaf-d2fb0274299a) Mg: 11; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f Enforce-SQL-Encryption (34520a11-7b14-46a8-ac34-7d766959460a) Mg: 2; Sub: 1
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345 Deploy-AKS-Policy (fb0a7498-393f-434d-aa93-2acd144f489f) Mg: 2; Sub: 1
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5 Deploy-VM-Backup (e2511ca5-bcb3-4dbd-9d91-c18590c2a9d2) Mg: 2; Sub: 1
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6 Deploy-SQL-DB-Auditing (4f3a2551-ea2f-43c6-9623-8950156d19b7) Mg: 2; Sub: 1
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/b95d2309-e3d0-5961-bef8-a3e75deca49a Deploy-Log-Analytics (2f3b9d0b-e8eb-4197-9cdf-ca6bde5dd3e5) Mg: 1; Sub: 1
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 Deploy-VMSS-Monitoring (a3a4908f-b068-455e-a3f5-38cc5e00448f) Mg: 8; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed Deploy-WS-Arc-Monitoring (b0bdcb08-09c9-4d9d-957e-963d255e7220) Mg: 8; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc Deploy-Resource-Diag (e51576ad-748d-462b-9d70-cb3b03e6c2e6) Mg: 8; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf Deploy-ASC-Security (4cb4c797-237b-4e64-b2cf-66f841700442) Mg: 8; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 Deploy-VM-Monitoring (065dde0b-5eab-4fce-80ee-ec956e94c498) Mg: 8; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf Deploy-LX-Arc-Monitoring (9ed01b2b-9311-41a8-8897-0a329047be49) Mg: 8; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e Deploy-AzActivity-Log (1691aa06-da2e-43f0-98f9-af12494603a9) Mg: 8; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJHDEV/providers/Microsoft.Authorization/roleAssignments/983c43f8-1c29-4c73-9816-b69d38226be4 AzOps (c295384a-33d9-475e-abaf-d2fb0274299a) Mg: 1; Sub: 0
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/9f1fe9df-5a9c-46ca-b881-154ecd19eaa7 AzOps (c295384a-33d9-475e-abaf-d2fb0274299a) Mg: 1; Sub: 0
Download CSV semicolon | comma
Role Name RoleId Role Assignment Obj Type Obj DisplayName Obj SignInName ObjId Impacted Mg/Sub
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 User ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 Mg: 11; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b ServicePrincipal AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a Mg: 11; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d User Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a Mg: 11; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/CUST_T5/providers/Microsoft.Authorization/roleAssignments/3c72bcce-6116-4d33-9f8a-927083beee40 User ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 Mg: 1; Sub: 0
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-decommissioned/providers/Microsoft.Authorization/roleAssignments/81bb9ace-a96d-47ab-b9a2-8952e655aa0c User ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 Mg: 1; Sub: 0
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/093ad67e-4eae-4536-aa0b-da4e09b47d88 User ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 Mg: 2; Sub: 1
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f ServicePrincipal Enforce-SQL-Encryption n/a 34520a11-7b14-46a8-ac34-7d766959460a Mg: 2; Sub: 1
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345 ServicePrincipal Deploy-AKS-Policy n/a fb0a7498-393f-434d-aa93-2acd144f489f Mg: 2; Sub: 1
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5 ServicePrincipal Deploy-VM-Backup n/a e2511ca5-bcb3-4dbd-9d91-c18590c2a9d2 Mg: 2; Sub: 1
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6 ServicePrincipal Deploy-SQL-DB-Auditing n/a 4f3a2551-ea2f-43c6-9623-8950156d19b7 Mg: 2; Sub: 1
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/84fb757b-e5ed-44e1-92fa-5d2ed6fe5cd1 User ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 Mg: 1; Sub: 1
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/b95d2309-e3d0-5961-bef8-a3e75deca49a ServicePrincipal Deploy-Log-Analytics n/a 2f3b9d0b-e8eb-4197-9cdf-ca6bde5dd3e5 Mg: 1; Sub: 1
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-online/providers/Microsoft.Authorization/roleAssignments/06ee6718-e394-4fcf-bbc2-cf358381ff67 User ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 Mg: 1; Sub: 1
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-platform/providers/Microsoft.Authorization/roleAssignments/243cb616-b890-4197-bc2e-98b966ba39f5 User ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 Mg: 2; Sub: 1
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH-sandboxes/providers/Microsoft.Authorization/roleAssignments/5c852bb9-bc65-44cb-a7d7-f230589f9c5f User ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 Mg: 2; Sub: 0
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 ServicePrincipal Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f Mg: 8; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed ServicePrincipal Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 Mg: 8; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc ServicePrincipal Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 Mg: 8; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf ServicePrincipal Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 Mg: 8; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 ServicePrincipal Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 Mg: 8; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf ServicePrincipal Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 Mg: 8; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e ServicePrincipal Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 Mg: 8; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 User ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 Mg: 8; Sub: 2
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJHDEV/providers/Microsoft.Authorization/roleAssignments/983c43f8-1c29-4c73-9816-b69d38226be4 ServicePrincipal AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a Mg: 1; Sub: 0
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/9f1fe9df-5a9c-46ca-b881-154ecd19eaa7 ServicePrincipal AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a Mg: 1; Sub: 0
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/2754101a-9df1-48e7-ae2a-836f23710ed7 User Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 Mg: 0; Sub: 1
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/68463d6a-5bd9-4d2b-8607-cb12a73d3c53 User Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a Mg: 0; Sub: 1
Download CSV semicolon | comma
Role Name RoleId Role Assignment Obj Type Obj DisplayName Obj SignInName ObjId Impacted Mg/Sub
User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 User Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a Mg: 11; Sub: 2
User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/70e14253-25d3-447f-9356-ac32985062a4 User Calamity Jane Calamity_Jane_AzGovViz.net#EXT#@AzGovViz.onmicrosoft.com 43b0f5e7-cb78-4e1a-b3da-1239647dfb74 Mg: 0; Sub: 1
Download CSV semicolon | comma
Role Name RoleId Role Assignment Obj Type Obj DisplayName Obj SignInName ObjId Assignment direct/indirect
User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/6bbd9ae3-1189-40bb-8170-7e8674b79159 User Guest Calamity Jane Calamity_Jane_AzGovViz.net#EXT#@AzGovViz.onmicrosoft.com 43b0f5e7-cb78-4e1a-b3da-1239647dfb74 indirect / AAD Group Membership 'group03 (e2390190-219f-419f-bdfa-a9f5cc3698cc)'
User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/70e14253-25d3-447f-9356-ac32985062a4 User Guest Calamity Jane Calamity_Jane_AzGovViz.net#EXT#@AzGovViz.onmicrosoft.com 43b0f5e7-cb78-4e1a-b3da-1239647dfb74 direct

0 Blueprint definitions

0 Blueprint assignments

0 Orphaned Blueprint definitions

Download CSV semicolon | comma
Level ManagementGroup ManagementGroup Id Mg children (total) Mg children (direct) Sub children (total) Sub children (direct) MG ASC Score Cost (1d) Path
0 Tenant Root Group 896470ca-9c6e-4176-9b38-5a655403c638 10 3 2 0 0.004383895968 EUR generated by 4 Resources (2 ResourceTypes) in 2 Subscriptions 896470ca-9c6e-4176-9b38-5a655403c638
1 ESJH ESJH 7 4 2 0 0.004383895968 EUR generated by 4 Resources (2 ResourceTypes) in 2 Subscriptions 896470ca-9c6e-4176-9b38-5a655403c638/ESJH
1 ESJHDEV ESJHDEV 0 0 0 0 no consumption data available 896470ca-9c6e-4176-9b38-5a655403c638/ESJHDEV
1 ESJHQA ESJHQA 0 0 0 0 no consumption data available 896470ca-9c6e-4176-9b38-5a655403c638/ESJHQA
2 ESJH-decommissioned ESJH-decommissioned 0 0 0 0 no consumption data available 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-decommissioned
2 ESJH-landingzones ESJH-landingzones 1 1 1 0 0.001138877568 EUR generated by 3 Resources (2 ResourceTypes) in 1 Subscriptions 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-landingzones
2 ESJH-platform ESJH-platform 1 1 1 0 0.0032450184 EUR generated by 1 Resources (1 ResourceTypes) in 1 Subscriptions 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-platform
2 ESJH-sandboxes ESJH-sandboxes 1 1 0 0 no consumption data available 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-sandboxes
3 CUST_T5 atz CUST_T5 0 0 0 0 no consumption data available 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-sandboxes/CUST_T5
3 ESJH-management ESJH-management 0 0 1 1 0.0032450184 EUR generated by 1 Resources (1 ResourceTypes) in 1 Subscriptions 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-platform/ESJH-management
3 ESJH-online ESJH-online 0 0 1 1 0.001138877568 EUR generated by 3 Resources (2 ResourceTypes) in 1 Subscriptions 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-landingzones/ESJH-online

Hierarchy Settings | Default Management Group Id: 'ESJH-online' docs

Hierarchy Settings | Require authorization for Management Group creation: 'False' docs

Supported Microsoft Azure offers docs
Understand ASC Secure Score Video , Blog , docs
Download CSV semicolon | comma
Subscription SubscriptionId QuotaId Tags ASC Score Cost (1d) Currency Path
landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f PayAsYouGo_2014-09-01 'costCenter':'4711', 'existingtag':'blaaa', 'testtag':'testvalue5', 'testtag2':'blub' n/a 0.001138877568 EUR 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-landingzones/ESJH-online/4dfa3b56-55bf-4059-802a-24e44a4fb60f
management f28ba982-5ed0-4033-9bdf-e45e4b5df466 PayAsYouGo_2014-09-01 'costCenter':'4876' 4 of 14 points 0.0032450184 EUR 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-platform/ESJH-management/f28ba982-5ed0-4033-9bdf-e45e4b5df466

0 Subscriptions out-of-scope

Resource naming and tagging decision guide docs
Download CSV semicolon | comma
Scope TagName Count
AllScopes costCenter 3
AllScopes existingtag 4
AllScopes ms-resource-usage 1
AllScopes Responsible 3
AllScopes tagKey1 2
AllScopes tagKey2 2
AllScopes testtag 3
AllScopes testtag2 4
AllScopes testtagbase 1
Resource costCenter 1
Resource existingtag 2
Resource ms-resource-usage 1
Resource Responsible 2
Resource tagKey1 2
Resource tagKey2 2
Resource testtag 1
Resource testtag2 2
Resource testtagbase 1
ResourceGroup existingtag 1
ResourceGroup Responsible 1
ResourceGroup testtag 1
ResourceGroup testtag2 1
Subscription costCenter 2
Subscription existingtag 1
Subscription testtag 1
Subscription testtag2 1
Download CSV semicolon | comma
ResourceType Resource Count
microsoft.automation/automationaccounts 1
microsoft.automation/automationaccounts/runbooks 1
microsoft.keyvault/vaults 1
microsoft.managedidentity/userassignedidentities 1
microsoft.network/networksecuritygroups 4
microsoft.network/networkwatchers 1
microsoft.network/virtualnetworks 1
microsoft.operationalinsights/workspaces 1
microsoft.operationsmanagement/solutions 10
microsoft.storage/storageaccounts 2
Download CSV semicolon | comma
ResourceType Location Resource Count
microsoft.automation/automationaccounts westeurope 1
microsoft.automation/automationaccounts/runbooks westeurope 1
microsoft.keyvault/vaults westeurope 1
microsoft.managedidentity/userassignedidentities westeurope 1
microsoft.network/networksecuritygroups northeurope 1
microsoft.network/networksecuritygroups westeurope 3
microsoft.network/networkwatchers westeurope 1
microsoft.network/virtualnetworks westeurope 1
microsoft.operationalinsights/workspaces westeurope 1
microsoft.operationsmanagement/solutions westeurope 10
microsoft.storage/storageaccounts northeurope 1
microsoft.storage/storageaccounts westeurope 1
Download CSV semicolon | comma
Provider Registered Registering NotRegistered Unregistering
84codes.CloudAMQP 1 0 1 0
Crypteron.DataSecurity 0 1 1 0
Dynatrace.Observability 0 0 2 0
Microsoft.AAD 1 0 1 0
microsoft.aadiam 1 0 1 0
Microsoft.Addons 1 0 1 0
Microsoft.ADHybridHealthService 2 0 0 0
Microsoft.Advisor 1 0 1 0
Microsoft.AgFoodPlatform 1 0 1 0
Microsoft.AISupercomputer 1 0 1 0
Microsoft.AlertsManagement 1 0 1 0
Microsoft.AnalysisServices 1 0 1 0
Microsoft.AnyBuild 1 0 1 0
Microsoft.ApiManagement 1 0 1 0
Microsoft.AppAssessment 1 0 1 0
Microsoft.AppConfiguration 1 0 1 0
Microsoft.AppPlatform 1 0 1 0
Microsoft.Attestation 1 0 1 0
Microsoft.Authorization 2 0 0 0
Microsoft.Automanage 1 0 1 0
Microsoft.Automation 2 0 0 0
Microsoft.AutonomousDevelopmentPlatform 1 0 1 0
Microsoft.AutonomousSystems 1 0 1 0
Microsoft.AVS 1 0 1 0
Microsoft.AzureActiveDirectory 1 0 1 0
Microsoft.AzureArcData 1 0 1 0
Microsoft.AzureCIS 1 0 1 0
Microsoft.AzureData 1 0 1 0
Microsoft.AzurePercept 0 0 2 0
Microsoft.AzureSphere 0 1 1 0
Microsoft.AzureStack 1 0 1 0
Microsoft.AzureStackHCI 1 0 1 0
Microsoft.BareMetalInfrastructure 1 0 1 0
Microsoft.Batch 1 0 1 0
Microsoft.Billing 2 0 0 0
Microsoft.Bing 1 0 1 0
Microsoft.Blockchain 1 0 1 0
Microsoft.BlockchainTokens 1 0 1 0
Microsoft.Blueprint 1 0 1 0
Microsoft.BotService 1 0 1 0
Microsoft.Cache 1 0 1 0
Microsoft.Capacity 1 0 1 0
Microsoft.Cascade 1 0 1 0
Microsoft.Cdn 1 0 1 0
Microsoft.CertificateRegistration 1 0 1 0
Microsoft.ChangeAnalysis 1 0 1 0
Microsoft.Chaos 1 0 1 0
Microsoft.ClassicCompute 1 0 1 0
Microsoft.ClassicInfrastructureMigrate 1 0 1 0
Microsoft.ClassicNetwork 1 0 1 0
Microsoft.ClassicStorage 1 0 1 0
Microsoft.ClassicSubscription 2 0 0 0
Microsoft.CloudTest 0 0 2 0
Microsoft.CodeSigning 0 0 2 0
Microsoft.Codespaces 1 0 1 0
Microsoft.CognitiveServices 1 0 1 0
Microsoft.Commerce 2 0 0 0
Microsoft.Communication 1 0 1 0
Microsoft.Compute 1 0 1 0
Microsoft.ConfidentialLedger 1 0 1 0
Microsoft.Confluent 1 0 1 0
Microsoft.ConnectedCache 1 0 1 0
Microsoft.ConnectedVehicle 1 0 1 0
Microsoft.ConnectedVMwarevSphere 1 0 1 0
Microsoft.Consumption 2 0 0 0
Microsoft.ContainerInstance 1 0 1 0
Microsoft.ContainerRegistry 1 0 1 0
Microsoft.ContainerService 1 0 1 0
Microsoft.CostManagement 2 0 0 0
Microsoft.CostManagementExports 1 0 1 0
Microsoft.CustomerLockbox 1 0 1 0
Microsoft.CustomProviders 1 0 1 0
Microsoft.D365CustomerInsights 1 0 1 0
Microsoft.Dashboard 0 0 2 0
Microsoft.DataBox 1 0 1 0
Microsoft.DataBoxEdge 1 0 1 0
Microsoft.Databricks 1 0 1 0
Microsoft.DataCatalog 1 0 1 0
Microsoft.DataCollaboration 1 0 1 0
Microsoft.Datadog 1 0 1 0
Microsoft.DataFactory 1 0 1 0
Microsoft.DataLakeAnalytics 1 0 1 0
Microsoft.DataLakeStore 1 0 1 0
Microsoft.DataMigration 1 0 1 0
Microsoft.DataProtection 1 0 1 0
Microsoft.DataShare 1 0 1 0
Microsoft.DBforMariaDB 1 0 1 0
Microsoft.DBforMySQL 1 0 1 0
Microsoft.DBforPostgreSQL 1 0 1 0
Microsoft.DelegatedNetwork 1 0 1 0
Microsoft.DeploymentManager 1 0 1 0
Microsoft.DesktopVirtualization 1 0 1 0
Microsoft.Devices 1 0 1 0
Microsoft.DeviceUpdate 1 0 1 0
Microsoft.DevOps 1 0 1 0
Microsoft.DevTestLab 1 0 1 0
Microsoft.Diagnostics 1 0 1 0
Microsoft.DigitalTwins 1 0 1 0
Microsoft.DocumentDB 1 0 1 0
Microsoft.DomainRegistration 1 0 1 0
Microsoft.EdgeOrder 0 0 2 0
Microsoft.Elastic 1 0 1 0
Microsoft.EnterpriseKnowledgeGraph 0 1 1 0
Microsoft.EventGrid 1 0 1 0
Microsoft.EventHub 1 0 1 0
Microsoft.Experimentation 1 0 1 0
Microsoft.ExtendedLocation 1 0 1 0
Microsoft.Falcon 1 0 1 0
Microsoft.Features 2 0 0 0
Microsoft.Fidalgo 0 0 2 0
Microsoft.FluidRelay 0 0 2 0
Microsoft.GuestConfiguration 2 0 0 0
Microsoft.HanaOnAzure 1 0 1 0
Microsoft.HardwareSecurityModules 1 0 1 0
Microsoft.HDInsight 1 0 1 0
Microsoft.HealthBot 1 0 1 0
Microsoft.HealthcareApis 1 0 1 0
Microsoft.HybridCompute 1 0 1 0
Microsoft.HybridData 1 0 1 0
Microsoft.HybridNetwork 1 0 1 0
Microsoft.ImportExport 1 0 1 0
Microsoft.IndustryDataLifecycle 1 0 1 0
microsoft.insights 2 0 0 0
Microsoft.IntelligentITDigitalTwin 1 0 1 0
Microsoft.IoTCentral 1 0 1 0
Microsoft.IoTSecurity 1 0 1 0
Microsoft.KeyVault 1 0 1 0
Microsoft.Kubernetes 1 0 1 0
Microsoft.KubernetesConfiguration 1 0 1 0
Microsoft.Kusto 1 0 1 0
Microsoft.LabServices 1 0 1 0
Microsoft.Logic 1 0 1 0
Microsoft.Logz 1 0 1 0
Microsoft.MachineLearning 1 0 1 0
Microsoft.MachineLearningServices 1 0 1 0
Microsoft.Maintenance 1 0 1 0
Microsoft.ManagedIdentity 1 0 1 0
Microsoft.ManagedServices 1 0 1 0
Microsoft.Management 2 0 0 0
Microsoft.Maps 1 0 1 0
Microsoft.Marketplace 1 0 1 0
Microsoft.MarketplaceApps 1 0 1 0
Microsoft.MarketplaceNotifications 0 0 2 0
Microsoft.MarketplaceOrdering 2 0 0 0
Microsoft.Media 1 0 1 0
Microsoft.Migrate 1 0 1 0
Microsoft.MixedReality 1 0 1 0
Microsoft.MobileNetwork 0 0 2 0
Microsoft.NetApp 1 0 1 0
Microsoft.Network 2 0 0 0
Microsoft.NotificationHubs 1 0 1 0
Microsoft.ObjectStore 1 0 1 0
Microsoft.OffAzure 1 0 1 0
Microsoft.OpenLogisticsPlatform 1 0 1 0
Microsoft.OperationalInsights 2 0 0 0
Microsoft.OperationsManagement 2 0 0 0
Microsoft.Peering 1 0 1 0
Microsoft.PolicyInsights 2 0 0 0
Microsoft.Portal 2 0 0 0
Microsoft.PowerBI 1 0 1 0
Microsoft.PowerBIDedicated 1 0 1 0
Microsoft.PowerPlatform 1 0 1 0
Microsoft.ProjectBabylon 1 0 1 0
Microsoft.ProviderHub 1 0 1 0
Microsoft.Purview 1 0 1 0
Microsoft.Quantum 1 0 1 0
Microsoft.Quota 0 0 2 0
Microsoft.RecommendationsService 1 0 1 0
Microsoft.RecoveryServices 1 0 1 0
Microsoft.RedHatOpenShift 1 0 1 0
Microsoft.Relay 1 0 1 0
Microsoft.ResourceConnector 1 0 1 0
Microsoft.ResourceGraph 2 0 0 0
Microsoft.ResourceHealth 1 0 1 0
Microsoft.Resources 2 0 0 0
Microsoft.SaaS 1 0 1 0
Microsoft.Scheduler 0 1 1 0
Microsoft.Scom 0 0 2 0
Microsoft.ScVmm 1 0 1 0
Microsoft.Search 1 0 1 0
Microsoft.Security 2 0 0 0
Microsoft.SecurityDetonation 1 0 1 0
Microsoft.SecurityInsights 1 0 1 0
Microsoft.SerialConsole 2 0 0 0
Microsoft.ServiceBus 1 0 1 0
Microsoft.ServiceFabric 1 0 1 0
Microsoft.ServiceFabricMesh 1 0 1 0
Microsoft.ServiceLinker 1 0 1 0
Microsoft.ServicesHub 1 0 1 0
Microsoft.SignalRService 1 0 1 0
Microsoft.Singularity 1 0 1 0
Microsoft.SoftwarePlan 1 0 1 0
Microsoft.Solutions 1 0 1 0
Microsoft.Sql 1 0 1 0
Microsoft.SqlVirtualMachine 1 0 1 0
Microsoft.Storage 1 0 1 0
Microsoft.StorageCache 1 0 1 0
Microsoft.StoragePool 1 0 1 0
Microsoft.StorageSync 1 0 1 0
Microsoft.StorSimple 1 0 1 0
Microsoft.StreamAnalytics 1 0 1 0
Microsoft.Subscription 1 0 1 0
microsoft.support 2 0 0 0
Microsoft.Synapse 1 0 1 0
Microsoft.TestBase 1 0 1 0
Microsoft.TimeSeriesInsights 1 0 1 0
Microsoft.VideoIndexer 0 0 2 0
Microsoft.VirtualMachineImages 1 0 1 0
microsoft.visualstudio 1 0 1 0
Microsoft.VMware 1 0 1 0
Microsoft.VMwareCloudSimple 1 0 1 0
Microsoft.VSOnline 1 0 1 0
Microsoft.Web 1 0 1 0
Microsoft.WindowsESU 1 0 1 0
Microsoft.WindowsIoT 1 0 1 0
Microsoft.WorkloadBuilder 1 0 1 0
Microsoft.WorkloadMonitor 1 0 1 0
NGINX.NGINXPLUS 0 0 2 0
Paraleap.CloudMonix 1 0 1 0
Pokitdok.Platform 0 1 1 0
RavenHq.Db 1 0 1 0
Raygun.CrashReporting 1 0 1 0
Sendgrid.Email 1 0 1 0
Wandisco.Fusion 1 0 1 0
Download CSV semicolon | comma
Mg Name MgId Subscription Name SubscriptionId Provider State
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f 84codes.CloudAMQP Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Crypteron.DataSecurity Registering
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Dynatrace.Observability NotRegistered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AAD Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f microsoft.aadiam Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Addons Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ADHybridHealthService Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Advisor Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AgFoodPlatform Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AISupercomputer Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AlertsManagement Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AnalysisServices Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AnyBuild Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ApiManagement Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AppAssessment Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AppConfiguration Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AppPlatform Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Attestation Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Authorization Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Automanage Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Automation Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AutonomousDevelopmentPlatform Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AutonomousSystems Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AVS Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AzureActiveDirectory Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AzureArcData Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AzureCIS Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AzureData Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AzurePercept NotRegistered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AzureSphere Registering
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AzureStack Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.AzureStackHCI Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.BareMetalInfrastructure Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Batch Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Billing Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Bing Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Blockchain Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.BlockchainTokens Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Blueprint Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.BotService Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Cache Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Capacity Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Cascade Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Cdn Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.CertificateRegistration Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ChangeAnalysis Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Chaos Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ClassicCompute Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ClassicInfrastructureMigrate Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ClassicNetwork Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ClassicStorage Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ClassicSubscription Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.CloudTest NotRegistered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.CodeSigning NotRegistered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Codespaces Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.CognitiveServices Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Commerce Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Communication Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Compute Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ConfidentialLedger Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Confluent Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ConnectedCache Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ConnectedVehicle Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ConnectedVMwarevSphere Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Consumption Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ContainerInstance Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ContainerRegistry Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ContainerService Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.CostManagement Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.CostManagementExports Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.CustomerLockbox Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.CustomProviders Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.D365CustomerInsights Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Dashboard NotRegistered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DataBox Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DataBoxEdge Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Databricks Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DataCatalog Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DataCollaboration Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Datadog Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DataFactory Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DataLakeAnalytics Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DataLakeStore Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DataMigration Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DataProtection Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DataShare Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DBforMariaDB Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DBforMySQL Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DBforPostgreSQL Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DelegatedNetwork Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DeploymentManager Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DesktopVirtualization Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Devices Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DeviceUpdate Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DevOps Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DevTestLab Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Diagnostics Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DigitalTwins Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DocumentDB Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.DomainRegistration Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.EdgeOrder NotRegistered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Elastic Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.EnterpriseKnowledgeGraph Registering
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.EventGrid Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.EventHub Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Experimentation Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ExtendedLocation Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Falcon Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Features Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Fidalgo NotRegistered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.FluidRelay NotRegistered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.GuestConfiguration Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.HanaOnAzure Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.HardwareSecurityModules Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.HDInsight Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.HealthBot Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.HealthcareApis Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.HybridCompute Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.HybridData Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.HybridNetwork Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ImportExport Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.IndustryDataLifecycle Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f microsoft.insights Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.IntelligentITDigitalTwin Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.IoTCentral Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.IoTSecurity Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.KeyVault Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Kubernetes Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.KubernetesConfiguration Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Kusto Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.LabServices Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Logic Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Logz Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.MachineLearning Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.MachineLearningServices Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Maintenance Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ManagedIdentity Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ManagedServices Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Management Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Maps Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Marketplace Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.MarketplaceApps Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.MarketplaceNotifications NotRegistered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.MarketplaceOrdering Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Media Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Migrate Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.MixedReality Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.MobileNetwork NotRegistered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.NetApp Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Network Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.NotificationHubs Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ObjectStore Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.OffAzure Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.OpenLogisticsPlatform Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.OperationalInsights Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.OperationsManagement Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Peering Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.PolicyInsights Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Portal Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.PowerBI Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.PowerBIDedicated Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.PowerPlatform Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ProjectBabylon Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ProviderHub Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Purview Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Quantum Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Quota NotRegistered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.RecommendationsService Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.RecoveryServices Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.RedHatOpenShift Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Relay Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ResourceConnector Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ResourceGraph Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ResourceHealth Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Resources Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.SaaS Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Scheduler Registering
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Scom NotRegistered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ScVmm Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Search Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Security Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.SecurityDetonation Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.SecurityInsights Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.SerialConsole Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ServiceBus Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ServiceFabric Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ServiceFabricMesh Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ServiceLinker Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.ServicesHub Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.SignalRService Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Singularity Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.SoftwarePlan Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Solutions Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Sql Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.SqlVirtualMachine Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Storage Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.StorageCache Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.StoragePool Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.StorageSync Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.StorSimple Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.StreamAnalytics Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Subscription Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f microsoft.support Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Synapse Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.TestBase Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.TimeSeriesInsights Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.VideoIndexer NotRegistered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.VirtualMachineImages Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f microsoft.visualstudio Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.VMware Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.VMwareCloudSimple Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.VSOnline Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.Web Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.WindowsESU Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.WindowsIoT Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.WorkloadBuilder Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Microsoft.WorkloadMonitor Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f NGINX.NGINXPLUS NotRegistered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Paraleap.CloudMonix Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Pokitdok.Platform Registering
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f RavenHq.Db Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Raygun.CrashReporting Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Sendgrid.Email Registered
ESJH-online ESJH-online landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f Wandisco.Fusion Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 84codes.CloudAMQP NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Crypteron.DataSecurity NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Dynatrace.Observability NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AAD NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 microsoft.aadiam NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Addons NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ADHybridHealthService Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Advisor NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AgFoodPlatform NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AISupercomputer NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AlertsManagement NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AnalysisServices NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AnyBuild NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ApiManagement NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AppAssessment NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AppConfiguration NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AppPlatform NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Attestation NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Authorization Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Automanage NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Automation Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AutonomousDevelopmentPlatform NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AutonomousSystems NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AVS NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AzureActiveDirectory NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AzureArcData NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AzureCIS NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AzureData NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AzurePercept NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AzureSphere NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AzureStack NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.AzureStackHCI NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.BareMetalInfrastructure NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Batch NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Billing Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Bing NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Blockchain NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.BlockchainTokens NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Blueprint NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.BotService NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Cache NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Capacity NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Cascade NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Cdn NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.CertificateRegistration NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ChangeAnalysis NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Chaos NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ClassicCompute NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ClassicInfrastructureMigrate NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ClassicNetwork NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ClassicStorage NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ClassicSubscription Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.CloudTest NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.CodeSigning NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Codespaces NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.CognitiveServices NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Commerce Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Communication NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Compute NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ConfidentialLedger NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Confluent NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ConnectedCache NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ConnectedVehicle NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ConnectedVMwarevSphere NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Consumption Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ContainerInstance NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ContainerRegistry NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ContainerService NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.CostManagement Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.CostManagementExports NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.CustomerLockbox NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.CustomProviders NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.D365CustomerInsights NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Dashboard NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DataBox NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DataBoxEdge NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Databricks NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DataCatalog NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DataCollaboration NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Datadog NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DataFactory NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DataLakeAnalytics NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DataLakeStore NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DataMigration NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DataProtection NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DataShare NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DBforMariaDB NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DBforMySQL NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DBforPostgreSQL NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DelegatedNetwork NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DeploymentManager NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DesktopVirtualization NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Devices NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DeviceUpdate NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DevOps NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DevTestLab NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Diagnostics NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DigitalTwins NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DocumentDB NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.DomainRegistration NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.EdgeOrder NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Elastic NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.EnterpriseKnowledgeGraph NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.EventGrid NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.EventHub NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Experimentation NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ExtendedLocation NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Falcon NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Features Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Fidalgo NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.FluidRelay NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.GuestConfiguration Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.HanaOnAzure NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.HardwareSecurityModules NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.HDInsight NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.HealthBot NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.HealthcareApis NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.HybridCompute NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.HybridData NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.HybridNetwork NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ImportExport NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.IndustryDataLifecycle NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 microsoft.insights Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.IntelligentITDigitalTwin NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.IoTCentral NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.IoTSecurity NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.KeyVault NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Kubernetes NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.KubernetesConfiguration NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Kusto NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.LabServices NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Logic NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Logz NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.MachineLearning NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.MachineLearningServices NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Maintenance NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ManagedIdentity NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ManagedServices NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Management Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Maps NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Marketplace NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.MarketplaceApps NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.MarketplaceNotifications NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.MarketplaceOrdering Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Media NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Migrate NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.MixedReality NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.MobileNetwork NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.NetApp NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Network Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.NotificationHubs NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ObjectStore NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.OffAzure NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.OpenLogisticsPlatform NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.OperationalInsights Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.OperationsManagement Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Peering NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.PolicyInsights Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Portal Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.PowerBI NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.PowerBIDedicated NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.PowerPlatform NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ProjectBabylon NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ProviderHub NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Purview NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Quantum NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Quota NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.RecommendationsService NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.RecoveryServices NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.RedHatOpenShift NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Relay NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ResourceConnector NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ResourceGraph Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ResourceHealth NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Resources Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.SaaS NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Scheduler NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Scom NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ScVmm NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Search NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Security Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.SecurityDetonation NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.SecurityInsights NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.SerialConsole Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ServiceBus NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ServiceFabric NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ServiceFabricMesh NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ServiceLinker NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.ServicesHub NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.SignalRService NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Singularity NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.SoftwarePlan NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Solutions NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Sql NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.SqlVirtualMachine NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Storage NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.StorageCache NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.StoragePool NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.StorageSync NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.StorSimple NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.StreamAnalytics NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Subscription NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 microsoft.support Registered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Synapse NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.TestBase NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.TimeSeriesInsights NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.VideoIndexer NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.VirtualMachineImages NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 microsoft.visualstudio NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.VMware NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.VMwareCloudSimple NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.VSOnline NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.Web NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.WindowsESU NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.WindowsIoT NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.WorkloadBuilder NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Microsoft.WorkloadMonitor NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 NGINX.NGINXPLUS NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Paraleap.CloudMonix NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Pokitdok.Platform NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 RavenHq.Db NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Raygun.CrashReporting NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Sendgrid.Email NotRegistered
ESJH-management ESJH-management management f28ba982-5ed0-4033-9bdf-e45e4b5df466 Wandisco.Fusion NotRegistered
Considerations before applying locks docs
Lock scope Lock type presence
SubscriptionCannotDelete0 of 2 Subscriptions
SubscriptionReadOnly0 of 2 Subscriptions
ResourceGroupCannotDelete1 of 2 Subscriptions (total: 1)
ResourceGroupReadOnly0 of 2 Subscriptions (total: 0)
ResourceCannotDelete0 of 2 Subscriptions (total: 0)
ResourceReadOnly0 of 2 Subscriptions (total: 0)

Management Groups

Management Group Diagnostic Settings - Create Or Update - REST API docs
Download CSV semicolon | comma
Management Group Management Group Id Diagnostic setting Target TargetId Administrative Policy
ESJH-platform ESJH-platform mgDiag_ESJH-platform LA /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 true true
Management Group Diagnostic Settings - Create Or Update - REST API docs
Download CSV semicolon | comma
Management Group Management Group Id Management Group path
Tenant Root Group 896470ca-9c6e-4176-9b38-5a655403c638 896470ca-9c6e-4176-9b38-5a655403c638
ESJH ESJH 896470ca-9c6e-4176-9b38-5a655403c638/ESJH
ESJH-decommissioned ESJH-decommissioned 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-decommissioned
ESJH-landingzones ESJH-landingzones 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-landingzones
ESJH-online ESJH-online 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-landingzones/ESJH-online
ESJH-management ESJH-management 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-platform/ESJH-management
ESJH-sandboxes ESJH-sandboxes 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-sandboxes
CUST_T5 atz CUST_T5 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-sandboxes/CUST_T5
ESJHDEV ESJHDEV 896470ca-9c6e-4176-9b38-5a655403c638/ESJHDEV
ESJHQA ESJHQA 896470ca-9c6e-4176-9b38-5a655403c638/ESJHQA

Subscriptions

Create diagnostic setting docs
Download CSV semicolon | comma
Subscription SubscriptionId Path Diagnostic setting Target TargetId Administrative Alert Autoscale Policy Recommendation ResourceHealth Security ServiceHealth
landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-landingzones/ESJH-online/4dfa3b56-55bf-4059-802a-24e44a4fb60f subscriptionToLa LA /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 true true true true true true true true
management f28ba982-5ed0-4033-9bdf-e45e4b5df466 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-platform/ESJH-management/f28ba982-5ed0-4033-9bdf-e45e4b5df466 subscriptionToLa LA /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 true true true true true true true true

All Subscriptions are configured for Diagnostic settings docs

Resources

Create Custom Policies for Azure ResourceTypes that support Diagnostics Logs and Metrics Create-AzDiagPolicy
Supported categories for Azure Resource Logs docs
Download CSV semicolon | comma
ResourceType Resource Count Diagnostics capable Metrics Logs LogCategories
microsoft.automation/automationaccounts 1 True True True JobLogs, JobStreams, DscNodeStatus
microsoft.automation/automationaccounts/runbooks 1 False False False
microsoft.keyvault/vaults 1 True True True AuditEvent
microsoft.managedidentity/userassignedidentities 1 False False False
microsoft.network/networksecuritygroups 4 True False True NetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounter
microsoft.network/networkwatchers 1 False False False
microsoft.network/virtualnetworks 1 True True True VMProtectionAlerts
microsoft.operationalinsights/workspaces 1 True True True Audit
microsoft.operationsmanagement/solutions 10 False False False
microsoft.storage/storageaccounts 2 True True False
Create Custom Policies for Azure ResourceTypes that support Diagnostics Logs and Metrics Create-AzDiagPolicy
Supported categories for Azure Resource Logs docs
Priority Recommendation ResourceType Resource Count Diagnostics capable (logs) Policy Id Policy DisplayName Role definitions Target Log Categories not covered by Policy Policy assignments Policy used in PolicySet PolicySet assignments
2-Medium Create diagnostics policy for this ResourceType. To verify GA check docs microsoft.operationalinsights/workspaces 0 yes n/a n/a n/a n/a n/a n/a n/a n/a
4-Low no recommendation Microsoft.Automation/automationAccounts 0 yes /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-aa Deploy Diagnostic Settings for Automation to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA all OK 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation Microsoft.KeyVault/vaults 0 yes /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-keyvault Deploy Diagnostic Settings for Key Vault to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA all OK 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation Microsoft.Network/networkSecurityGroups 0 yes /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-networksecuritygroups Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA all OK 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation Microsoft.Network/virtualNetworks 0 yes /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-virtualnetwork Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA all OK 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.AnalysisServices/servers 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-analysisservice Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.ApiManagement/service 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-apimgmt Deploy Diagnostic Settings for API Management to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Batch/batchAccounts 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-batch Deploy Diagnostic Settings for Batch to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Cdn/profiles/endpoints 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-cdnendpoints Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.CognitiveServices/accounts 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-cognitiveservices Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.ContainerRegistry/registries 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-acr Deploy Diagnostic Settings for Container Registry to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.ContainerService/managedClusters 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-aks Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Databricks/workspaces 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-databricks Deploy Diagnostic Settings for Databricks to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.DataFactory/factories 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-datafactory Deploy Diagnostic Settings for Data Factory to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.DataLakeAnalytics/accounts 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-dlanalytics Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.DataLakeStore/accounts 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-datalakestore Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.DBforMariaDB/servers 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-mariadb Deploy Diagnostic Settings for MariaDB to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.DBforMySQL/servers 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-mysql Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.DBforPostgreSQL/servers 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-postgresql Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Devices/IotHubs 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-iothub Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.DocumentDB/databaseAccounts 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-cosmosdb Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.EventGrid/systemTopics 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventgridsystemtopic Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.EventGrid/topics 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventgridtopic Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.EventHub/namespaces 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventhub Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Logic/integrationAccounts 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-logicappsise Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Logic/workflows 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-logicappswf Deploy Diagnostic Settings for Logic Apps Workflow runtime to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.MachineLearningServices/workspaces 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-mlworkspace Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Network/applicationGateways 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-applicationgateway Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Network/azureFirewalls 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-firewall Deploy Diagnostic Settings for Firewall to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Network/expressRouteCircuits 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-expressroute Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Network/frontDoors 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-frontdoor Deploy Diagnostic Settings for Front Door to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Network/loadBalancers 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-loadbalancer Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Network/publicIPAddresses 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-publicip Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Network/trafficManagerProfiles 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-trafficmanager Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Network/virtualNetworkGateways 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-vnetgw Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.PowerBIDedicated/capacities 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-powerbiembedded Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.RecoveryServices/vaults 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-recoveryvault Deploy Diagnostic Settings for Recovery Services vaults to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Relay/namespaces 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-relay Deploy Diagnostic Settings for Relay to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Search/searchServices 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-searchservices Deploy Diagnostic Settings for Search Services to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.ServiceBus/namespaces 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-servicebus Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.SignalRService/SignalR 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-signalr Deploy Diagnostic Settings for SignalR to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Sql/managedInstances 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-sqlmi Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Sql/servers/databases 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-sqldbs Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.StreamAnalytics/streamingjobs 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-streamanalytics Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.TimeSeriesInsights/environments 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-timeseriesinsights Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Web/sites 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-website Deploy Diagnostic Settings for App Service to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]
4-Low no recommendation as this resourceType seems not existing Microsoft.Web/sites 0 unknown /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-function Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa), Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293) LA n/a 0 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics (Deploy Diagnostic Settings to Azure Services)] 1 [/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)]

Tenant

PolicySet definitions: 3/2500 docs

Custom Role definitions: 6/5000 docs

Management Groups

0 Management Groups approaching Limit (200) for PolicyAssignment docs

0 Management Groups approaching Limit (500) for Policy Scope docs

0 Management Groups approaching Limit (200) for PolicySet Scope docs

0 Management Groups approaching Limit (500) for RoleAssignment docs

Subscriptions

Azure Subscription Resource Group Limit docs
Download CSV semicolon | comma
Subscription SubscriptionId Limit
landingZone 4dfa3b56-55bf-4059-802a-24e44a4fb60f 80,92 % (793/980)

0 Subscriptions approaching Limit (50) for Tags docs

0 Subscriptions approaching Limit (200) for PolicyAssignment docs

0 Subscriptions approaching Limit (500) for Policy Scope docs

0 Subscriptions approaching Limit (200) for PolicySet Scope docs

0 Subscriptions approaching Limit (2000) for RoleAssignment docs

Demystifying Service Principals - Managed Identities devBlogs
John Savill - Azure AD App Registrations, Enterprise Apps and Service Principals YouTube

No ServicePrincipals where the API returned 'Request_ResourceNotFound'

No Applications where the API returned 'Request_ResourceNotFound'

Download CSV semicolon | comma
ApplicationId DisplayName SP ObjectId Usage Usage info Policy assignment details Role assignments
addfa80f-9a88-4563-a159-3c299bb4c7d8 Deploy-VM-Monitoring 065dde0b-5eab-4fce-80ee-ec956e94c498 Policy assignments isExplicit=False, /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring BuiltIn PolicySet: Enable Azure Monitor for VMs (55f3eceb-5573-4f18-9695-226972c6d74a) 1 (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 (Owner))
59fea0c9-4279-46f2-b2ad-1103e264e964 Deploy-AzActivity-Log 1691aa06-da2e-43f0-98f9-af12494603a9 Policy assignments isExplicit=False, /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log Custom Policy: Deploy Diagnostic Settings for Activity Log to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog) 1 (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e (Owner))
7b43e7f6-bcb5-4836-8d1f-b624b2714be0 Deploy-Log-Analytics 2f3b9d0b-e8eb-4197-9cdf-ca6bde5dd3e5 Policy assignments isExplicit=False, /providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics Custom Policy: Deploy the Log Analytics in the subscription (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-log-analytics) 1 (/providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/b95d2309-e3d0-5961-bef8-a3e75deca49a (Owner))
17e0b01b-14eb-4016-bf8e-171b5b044b95 Enforce-SQL-Encryption 34520a11-7b14-46a8-ac34-7d766959460a Policy assignments isExplicit=False, /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-SQL-Encryption BuiltIn Policy: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) 1 (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f (Owner))
6e1d3051-0ad2-4920-b525-a653ba20c5f6 Deploy-ASC-Security 4cb4c797-237b-4e64-b2cf-66f841700442 Policy assignments isExplicit=False, /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Security Custom Policy: Deploy Azure Defender settings in Azure Security Center. (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard) 1 (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf (Owner))
873c2c67-e210-496e-86aa-f53d8b4f1844 Deploy-SQL-DB-Auditing 4f3a2551-ea2f-43c6-9623-8950156d19b7 Policy assignments isExplicit=False, /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing BuiltIn Policy: Auditing on SQL server should be enabled (a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) 1 (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6 (Owner))
afbb1efc-63bd-46fa-8d7e-976ec0d75862 Deploy-LX-Arc-Monitoring 9ed01b2b-9311-41a8-8897-0a329047be49 Policy assignments isExplicit=False, /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring BuiltIn Policy: Configure Log Analytics agent on Azure Arc enabled Linux servers (9d2b61b4-1d14-4a63-be30-d4498e7ad2cf) 1 (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf (Owner))
cab048f7-a6c2-46d7-a04a-fed3abf27f75 Deploy-VMSS-Monitoring a3a4908f-b068-455e-a3f5-38cc5e00448f Policy assignments isExplicit=False, /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring BuiltIn PolicySet: Enable Azure Monitor for Virtual Machine Scale Sets (75714362-cae7-409e-9b99-a8e5075b7fad) 1 (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 (Owner))
1e94c5fb-a02b-4a89-a2f0-51299f787f8b Deploy-WS-Arc-Monitoring b0bdcb08-09c9-4d9d-957e-963d255e7220 Policy assignments isExplicit=False, /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring BuiltIn Policy: Configure Log Analytics agent on Azure Arc enabled Windows servers (69af7d4a-7b18-4044-93a9-2651498ef203) 1 (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed (Owner))
e51a68e4-11b9-4062-b384-3a8e70a20825 Deploy-VM-Backup e2511ca5-bcb3-4dbd-9d91-c18590c2a9d2 Policy assignments isExplicit=False, /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup BuiltIn Policy: Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy (98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86) 1 (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5 (Owner))
717c2b3f-1fb7-4a5f-acc8-fc60ea27f2be Deploy-Resource-Diag e51576ad-748d-462b-9d70-cb3b03e6c2e6 Policy assignments isExplicit=False, /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag Custom PolicySet: Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 1 (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc (Owner))
cf80e92b-ae4e-4539-98c9-b7c6fe22b23d Deploy-AKS-Policy fb0a7498-393f-434d-aa93-2acd144f489f Policy assignments isExplicit=False, /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy BuiltIn Policy: Deploy Azure Policy Add-on to Azure Kubernetes Service clusters (a8eff44f-8c92-45c3-a3fb-9880802d67a7) 1 (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345 (Owner))
Download CSV semicolon | comma
ApplicationId DisplayName Notes SP ObjectId App ObjectId Secrets Secrets expired Secrets expiry
<14d
Secrets expiry
>14d & <2y
Secrets expiry
>2y
Certs Certs expired Certs expiry
<14d
Certs expiry
>14d & <2y
Certs expiry
>2y
2b213162-e349-461a-bc29-aefa7da6cb32 AzOps c295384a-33d9-475e-abaf-d2fb0274299a 3dd669f2-a512-4bb1-b52c-bc8a438e067b 1 0 0 1 0 0 0 0 0 0
b92a0a2f-8536-4134-b0fb-60ee0528d1b0 azgovvizwwcsecurity e261446e-77d2-4cf5-a32a-0fbef8ee1333 2d29aa1b-04bf-4770-922c-354724b38562 1 0 0 1 0 0 0 0 0 0

0 External (appOwnerOrganizationId) AAD ServicePrincipals type=Application

Customize your Azure environment optimizations (Cost, Reliability & more) with Azure Optimization Engine (AOE)
Download CSV semicolon | comma
ChargeType ResourceType Category ResourceCount Cost (1d) Currency Subscriptions
usage arm advanced threat protection 2 0.0043548012 EUR 2
usage microsoft.storage advanced threat protection 2 0.0000134928 EUR 1
usage microsoft.storage storage 2 0.000015601968 EUR 1
Download CSV semicolon | comma
Scope Scope Id Policy DisplayName PolicyId Category Effect Role definitions Unique assignments Used in PolicySets Created/Updated CreatedOn CreatedBy UpdatedOn UpdatedBy
Mg ESJH Public network access should be disabled for CosmosDB /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-cosmosdb SQL Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) Updated 2021-01-10 20:57:38 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-15 15:15:07 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a

0 Created/Updated custom PolicySet definitions

Download CSV semicolon | comma
Scope Management Group Id Management Group Name SubscriptionId Subscription Name Inheritance ScopeExcluded Exemption applies Policy/Set DisplayName Policy/Set Description Policy/SetId Policy/Set Type Category Effect Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName Assignment Description AssignmentId Created/Updated AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
Sub ESJH-online ESJH-online 4dfa3b56-55bf-4059-802a-24e44a4fb60f landingZone thisScope Sub false false [Deprecated]: Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. /providers/microsoft.authorization/policydefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55 Policy BuiltIn Security Center AuditIfNotExists Default 0 0 0 0 0 none testDeprecatedAssignment no description given /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/microsoft.authorization/policyassignments/bcdd1466e4fc5114b6e5f13d Created n/a 2021-07-18 15:09:28 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg CUST_T5 CUST_T5 atz thisScope Mg false false Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d Policy BuiltIn Compute audit Default 0 0 0 0 0 none APA Audit VMs that do not use managed disks no description given /providers/microsoft.management/managementgroups/cust_t5/providers/microsoft.authorization/policyassignments/aa4f4fdfd3b04fb3962a9da9 Created Joe Dalton 2021-07-15 15:16:07 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg ESJH-sandboxes ESJH-sandboxes thisScope Mg false false Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d Policy BuiltIn Compute audit Default 0 0 0 0 0 none APA Audit VMs that do not use managed disks no description given /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b2 Created n/a 2021-07-06 09:42:48 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg ESJH-sandboxes ESJH-sandboxes thisScope Mg false false Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d Policy BuiltIn Compute audit Default 0 0 0 0 0 none APA2 Audit VMs that do not use managed disks no description given /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b3 Created n/a 2021-07-06 10:32:34 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg ESJH-sandboxes ESJH-sandboxes thisScope Mg false false Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d Policy BuiltIn Compute audit Default 0 0 0 0 0 none APA3 Audit VMs that do not use managed disks no description given /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b4 Created n/a 2021-07-06 11:59:31 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg ESJH ESJH thisScope Mg false false Enable Azure Monitor for VMs Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter. /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a PolicySet BuiltIn Monitoring n/a logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring Deploy-VM-Monitoring v2 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring Updated n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Download CSV semicolon | comma
Role Name RoleId Assignable Scopes Data Created/Updated CreatedOn CreatedBy UpdatedOn UpdatedBy
testRole3368 08a2d627-a94e-461e-8350-432b457d00a3 1 (/providers/microsoft.management/managementgroups/esjhdev) false Created 2021-08-04 15:36:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
testRole3366 f548f1ea-48f1-4a74-9061-b5dacacf514a 1 (/subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f) false Created&Updated 2021-07-18 15:22:38 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a 2021-07-19 19:45:44 ObjectType: User Member, ObjectDisplayName: Jack Dalton, ObjectSignInName: JackDalton@AzGovViz.onmicrosoft.com, ObjectId: c64d2776-a210-428f-b54f-a4a5dd7f8ef8
testRole3367 f7028056-3a12-43ac-a499-0d1844a02240 1 (/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466) false Created 2021-08-04 15:34:15 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Download CSV semicolon | comma
Scope Role Role Id Role Type Data Identity Displayname Identity SignInName Identity ObjectId Identity Type Applicability Applies through membership Group Details Role AssignmentId Related Policy Assignment CreatedOn CreatedBy
Mg Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-sandboxes/providers/Microsoft.Authorization/roleAssignments/5c852bb9-bc65-44cb-a7d7-f230589f9c11 none 2021-07-05 08:20:09 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
Mg Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/ESJHDEV/providers/Microsoft.Authorization/roleAssignments/983c43f8-1c29-4c73-9816-b69d38226be4 none 2021-07-06 13:09:24 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/9f1fe9df-5a9c-46ca-b881-154ecd19eaa7 none 2021-07-06 10:02:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
Mg Security Reader 39bc4728-0917-49c7-9d2c-d95423bc2eb4 Builtin false group04NoMembers n/a 5f90ced2-7d5e-493b-9db6-862b9332e20a Group direct 0 (Usr: 0, Grp: 0, SP: 0) /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/e010f291-49a9-4d4b-be4d-55c6aeb164cd none 2021-08-06 09:30:11 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg Log Analytics Reader 73c42c96-874c-492b-b04d-ab87d138a893 Builtin false group04NoMembers n/a 5f90ced2-7d5e-493b-9db6-862b9332e20a Group indirect group05OneMemberGroupWithNoMembers (c57f8838-1603-4932-b3c4-9572feea9173) 1 (Usr: 0, Grp: 1, SP: 0) /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/fe935a9c-928f-4dec-aafb-54ecc2642cf3 none 2021-08-06 09:30:52 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Mg Log Analytics Reader 73c42c96-874c-492b-b04d-ab87d138a893 Builtin false group05OneMemberGroupWithNoMembers n/a c57f8838-1603-4932-b3c4-9572feea9173 Group direct 1 (Usr: 0, Grp: 1, SP: 0) /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/fe935a9c-928f-4dec-aafb-54ecc2642cf3 none 2021-08-06 09:30:52 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub Tag Contributor 4a9ae827-6dc8-4573-8ac7-8239d42aa03f Builtin false Tag Bert TagBert@AzGovViz.onmicrosoft.com 9e1643fe-b887-4a53-9071-56801236f719 User Member direct /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/1dd61049-04b7-4058-af49-01f9b83159b2 none 2021-07-22 08:57:09 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/2754101a-9df1-48e7-ae2a-836f23710ed7 none 2021-07-19 19:43:09 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Calamity Jane Calamity_Jane_AzGovViz.net#EXT#@AzGovViz.onmicrosoft.com 43b0f5e7-cb78-4e1a-b3da-1239647dfb74 User Guest indirect group03 (e2390190-219f-419f-bdfa-a9f5cc3698cc) 1 (Usr: 1, Grp: 0, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/6bbd9ae3-1189-40bb-8170-7e8674b79159 none 2021-07-21 10:08:04 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false group03 n/a e2390190-219f-419f-bdfa-a9f5cc3698cc Group direct 1 (Usr: 1, Grp: 0, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/6bbd9ae3-1189-40bb-8170-7e8674b79159 none 2021-07-21 10:08:04 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Sub User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Calamity Jane Calamity_Jane_AzGovViz.net#EXT#@AzGovViz.onmicrosoft.com 43b0f5e7-cb78-4e1a-b3da-1239647dfb74 User Guest direct /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/70e14253-25d3-447f-9356-ac32985062a4 none 2021-07-19 19:31:24 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
Download CSV semicolon | comma
ResourceType Resource Count Created&Changed Created&Changed Subs Created Created Subs Changed Changed Subs
microsoft.keyvault/vaults 1 1 1 1 1 1 1
microsoft.network/networksecuritygroups 2 0 0 0 0 2 1
microsoft.storage/storageaccounts 1 1 1 1 1 1 1

DefinitionInsights

JSON PolicyType Category Deprecated Preview Scope Mg/Sub Scope Name/Id effectDefaultValue hasAssignments Assignments Count Assignments UsedInPolicySet PolicySetsCount PolicySets Roles
{
  "properties": {
    "displayName": "[ASC Private Preview] Configure system-assigned managed identity to enable Azure Monitor assignments on VMs",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "[ASC Private Preview] Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor that do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location.",
    "metadata": {
      "category": "Monitoring",
      "version": "3.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "location",
            "in": [
              "australiacentral",
              "australiaeast",
              "australiasoutheast",
              "centralindia",
              "centralus",
              "eastasia",
              "eastus",
              "eastus2",
              "germanywestcentral",
              "japaneast",
              "northcentralus",
              "northeurope",
              "southcentralus",
              "southeastasia",
              "uksouth",
              "westcentralus",
              "westeurope",
              "westus",
              "westus2"
            ]
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "SLES",
                      "SLES-HPC",
                      "SLES-HPC-Priority",
                      "SLES-SAP",
                      "SLES-SAP-BYOS",
                      "SLES-Priority",
                      "SLES-BYOS",
                      "SLES-SAPCAL",
                      "SLES-Standard"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "12*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "14.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "16.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "18.04*LTS"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Oracle"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Oracle-Linux"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "7.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "CentOS",
                      "Centos-LVM",
                      "CentOS-SRIOV"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "7*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "credativ"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "debian"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "8"
                      },
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "9"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Debian"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "debian-10"
                    ]
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "10"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "in": [
                      "2008-R2-SP1",
                      "2008-R2-SP1-smalldisk",
                      "2012-Datacenter",
                      "2012-Datacenter-smalldisk",
                      "2012-R2-Datacenter",
                      "2012-R2-Datacenter-smalldisk",
                      "2016-Datacenter",
                      "2016-Datacenter-Server-Core",
                      "2016-Datacenter-Server-Core-smalldisk",
                      "2016-Datacenter-smalldisk",
                      "2016-Datacenter-with-Containers",
                      "2016-Datacenter-with-RDSH",
                      "2019-Datacenter",
                      "2019-Datacenter-Core",
                      "2019-Datacenter-Core-smalldisk",
                      "2019-Datacenter-Core-with-Containers",
                      "2019-Datacenter-Core-with-Containers-smalldisk",
                      "2019-Datacenter-smalldisk",
                      "2019-Datacenter-with-Containers",
                      "2019-Datacenter-with-Containers-smalldisk",
                      "2019-Datacenter-zhcn"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerSemiAnnual"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "in": [
                      "Datacenter-Core-1709-smalldisk",
                      "Datacenter-Core-1709-with-Containers-smalldisk",
                      "Datacenter-Core-1803-with-Containers-smalldisk"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServerHPCPack"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerHPCPack"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2019"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2019-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2-BYOL"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftRServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "MLServer-WS2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftVisualStudio"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "VisualStudio",
                      "Windows"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "equals": "Pre-Req-AX7-Onebox-U8"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "windows-data-science-vm"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsDesktop"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Windows-10"
                  }
                ]
              },
              {
                "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
                "exists": "true"
              }
            ]
          },
          {
            "value": "[requestContext().apiVersion]",
            "greaterOrEquals": "2018-10-01"
          },
          {
            "field": "identity.type",
            "notContains": "SystemAssigned"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "identity.type",
              "value": "[if(contains(field('identity.type'), 'UserAssigned'), concat(field('identity.type'), ',SystemAssigned'), 'SystemAssigned')]"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/17b3de92-f710-4cf4-aa55-0e7859f1ed7b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "17b3de92-f710-4cf4-aa55-0e7859f1ed7b"
}
BuiltIn Monitoring False True n/a n/a Modify false 0 n/a true 1 [Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines (/providers/microsoft.authorization/policysetdefinitions/a15f3269-2e10-458c-87a4-d5989e678a73) 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "[Deprecated]: A security contact phone number should be provided for your subscription",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Enter a phone number to receive notifications when Azure Security Center detects compromised resources - This policy is deprecated because phone numbers are no longer used in any scenario by Azure Security Center",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/securityContacts",
          "existenceCondition": {
            "field": "Microsoft.Security/securityContacts/phone",
            "notEquals": ""
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b4d66858-c922-44e3-9566-5cdb7a7be744"
}
BuiltIn Security Center True False n/a n/a Disabled false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Access to App Services should be restricted",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges that are too broad",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Web/sites"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "restrictAccessToAppServices",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1a833ff1-d297-4a0f-9944-888428f8e0ff"
}
BuiltIn Security Center True False n/a n/a Disabled false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Ensure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "SQL",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/managedInstances"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/managedInstances/securityAlertPolicies",
          "name": "default",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]",
                "notEquals": ""
              },
              {
                "field": "Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]",
                "exists": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3965c43d-b5f4-482e-b74a-d89ee0e0b3a8"
}
BuiltIn SQL True False n/a n/a Disabled false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Ensure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. This email address receives alert notifications when anomalous activities are detected on SQL servers.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "SQL",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/securityAlertPolicies",
          "name": "default",
          "existenceCondition": {
            "field": "Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]",
            "notEquals": ""
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9677b740-f641-4f3c-b9c5-466005c85278"
}
BuiltIn SQL True False n/a n/a Disabled false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "It's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "SQL",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/managedInstances"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/managedInstances/securityAlertPolicies",
          "name": "default",
          "existenceCondition": {
            "field": "Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]",
            "equals": ""
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bda18df3-5e41-4709-add9-2554ce68c966"
}
BuiltIn SQL True False n/a n/a Disabled false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "SQL",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/securityAlertPolicies",
          "name": "default",
          "existenceCondition": {
            "field": "Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]",
            "equals": ""
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e756b945-1b1b-480b-8de8-9a0859d5f7ad"
}
BuiltIn SQL True False n/a n/a Disabled false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Allow resource creation if 'department' tag set",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Allows resource creation only if the 'department' tag is set",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Tags",
      "deprecated": true
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "not": {
          "field": "tags",
          "containsKey": "department"
        }
      },
      "then": {
        "effect": "Deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "cd8dc879-a2ae-43c3-8211-1877c5755064"
}
BuiltIn Tags True False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Allow resource creation if 'environment' tag value in allowed values",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Allows resource creation if the 'environment' tag is set to one of the following values: production, dev, test, staging",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Tags",
      "deprecated": true
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "not": {
          "field": "tags['environment']",
          "in": [
            "production",
            "dev",
            "test",
            "staging"
          ]
        }
      },
      "then": {
        "effect": "Deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ac7e5fc0-c029-4b12-91d4-a8500ce697f9"
}
BuiltIn Tags True False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Allow resource creation only in Asia data centers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Allows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "General",
      "deprecated": true
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "not": {
          "field": "location",
          "in": [
            "eastasia",
            "southeastasia",
            "westindia",
            "southindia",
            "centralindia",
            "japaneast",
            "japanwest"
          ]
        }
      },
      "then": {
        "effect": "Deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c1b9cbed-08e3-427d-b9ce-7c535b1e9b94"
}
BuiltIn General True False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Allow resource creation only in European data centers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Allows resource creation in the following locations only: North Europe, West Europe",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "General",
      "deprecated": true
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "not": {
          "field": "location",
          "in": [
            "northeurope",
            "westeurope"
          ]
        }
      },
      "then": {
        "effect": "Deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "94c19f19-8192-48cd-a11b-e37099d3e36b"
}
BuiltIn General True False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Allow resource creation only in India data centers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Allows resource creation in the following locations only: West India, South India, Central India",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "General",
      "deprecated": true
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "not": {
          "field": "location",
          "in": [
            "westindia",
            "southindia",
            "centralindia"
          ]
        }
      },
      "then": {
        "effect": "Deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54"
}
BuiltIn General True False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Allow resource creation only in United States data centers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Allows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "General",
      "deprecated": true
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "not": {
          "field": "location",
          "in": [
            "centralus",
            "eastus",
            "eastus2",
            "northcentralus",
            "southcentralus",
            "westus"
          ]
        }
      },
      "then": {
        "effect": "Deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "983211ba-f348-4758-983b-21fa29294869"
}
BuiltIn General True False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: API App should only be accessible over HTTPS",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "api"
              },
              {
                "field": "kind",
                "equals": "apiApp"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "OnlyHttpsForApiApp",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c85538c1-b527-4ce4-bdb4-1dabcb3fd90d"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: App Service should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that the app service is not exposed on the public internet. Creating private endpoints can limit exposure of the app service. Learn more at: https://aka.ms/app-service-private-endpoint.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "App Service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites/config"
          },
          {
            "field": "Microsoft.Web/sites/config/PublicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d79ab062-dffd-4318-8344-f70de714c0bc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d79ab062-dffd-4318-8344-f70de714c0bc"
}
BuiltIn App Service True False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit API Applications that are not using latest supported .NET Framework",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use the latest supported .NET Framework version for the latest security classes. Using older classes and types can make your application vulnerable.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "api"
              },
              {
                "field": "kind",
                "equals": "apiApp"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "UseLatestDotNet",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1de7b11d-1870-41a5-8181-507e7c663cfb"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit API Applications that are not using latest supported Java Framework",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use the latest supported Java version for the latest security classes. Using older classes and types can make your application vulnerable.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "api"
              },
              {
                "field": "kind",
                "equals": "apiApp"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "UseLatestJava",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9bfe3727-0a17-471f-a2fe-eddd6b668745"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit API Applications that are not using latest supported PHP Framework",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use the latest supported PHP version for the latest security classes. Using older classes and types can make your application vulnerable.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "api"
              },
              {
                "field": "kind",
                "equals": "apiApp"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "UseLatestPHP",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3fe37002-5d00-4b37-a301-da09e3a0ca66"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit API Applications that are not using latest supported Python Framework",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use the latest supported Python version for the latest security classes. Using older classes and types can make your application vulnerable.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "api"
              },
              {
                "field": "kind",
                "equals": "apiApp"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "UseLatestPython",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bc0378bb-d7ab-4614-a0f6-5a6e3f02d644"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit API Apps that are not using custom domains",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use of custom domains protects a API app from common attacks such as phishing and other DNS-related attacks.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "api"
              },
              {
                "field": "kind",
                "equals": "apiApp"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "UsedCustomDomains",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "224da9fe-0d38-4e79-adb3-0a6e2af942ac"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit enabling of diagnostic logs in App Services",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "App Service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites/config"
          },
          {
            "field": "name",
            "equals": "web"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Web/sites/config/detailedErrorLoggingEnabled",
                "notEquals": "true"
              },
              {
                "field": "Microsoft.Web/sites/config/httpLoggingEnabled",
                "notEquals": "true"
              },
              {
                "field": "Microsoft.Web/sites/config/requestTracingEnabled",
                "notEquals": "true"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "752c6934-9bcc-4749-b004-655e676ae2ac"
}
BuiltIn App Service True False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Function Apps that are not using custom domains",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use of custom domains protects a Function app from common attacks such as phishing and other DNS-related attacks.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "functionapp"
              },
              {
                "field": "kind",
                "equals": "functionapp,linux"
              },
              {
                "field": "kind",
                "equals": "functionapp,linux,container"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "UsedCustomDomains",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d1cb47db-b7a1-4c46-814e-aad1c0e84f3c"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit IP restrictions configuration for a Function App",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a Function app from common attacks.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "functionapp"
              },
              {
                "field": "kind",
                "equals": "functionapp,linux"
              },
              {
                "field": "kind",
                "equals": "functionapp,linux,container"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "ConfigureIPRestrictions",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "664346d9-be92-43fb-a219-d595eeb76a90"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit IP restrictions configuration for a Web Application",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a web application from common attacks.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "app"
              },
              {
                "field": "kind",
                "equals": "WebApp"
              },
              {
                "field": "kind",
                "equals": "app,linux"
              },
              {
                "field": "kind",
                "equals": "app,linux,container"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "ConfigureIPRestrictions",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6a8450e2-6c61-43b4-be65-62e3a197bffe"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit IP restrictions configuration for an API App",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects an API app from common attacks.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "api"
              },
              {
                "field": "kind",
                "equals": "apiApp"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "ConfigureIPRestrictions",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "48893b84-a2c8-4d9a-badf-835d5d1b7d53"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imagePublisher",
                "in": [
                  "microsoft-aks",
                  "qubole-inc",
                  "datastax",
                  "couchbase",
                  "scalegrid",
                  "checkpoint",
                  "paloaltonetworks",
                  "debian"
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "CentOS*"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Oracle"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Oracle-Linux"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-HA",
                      "RHEL-SAP",
                      "RHEL-SAP-APPS",
                      "RHEL-SAP-HA",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "osa",
                      "rhel-byos"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "center-for-internet-security-inc"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "cis-centos-7-l1",
                      "cis-centos-7-v2-1-1-l1",
                      "cis-centos-8-l1",
                      "cis-debian-linux-8-l1",
                      "cis-debian-linux-9-l1",
                      "cis-nginx-centos-7-v1-1-0-l1",
                      "cis-oracle-linux-7-v2-0-0-l1",
                      "cis-oracle-linux-8-l1",
                      "cis-postgresql-11-centos-linux-7-level-1",
                      "cis-rhel-7-l2",
                      "cis-rhel-7-v2-2-0-l1",
                      "cis-rhel-8-l1",
                      "cis-suse-linux-12-v2-0-0-l1",
                      "cis-ubuntu-linux-1604-v1-0-0-l1",
                      "cis-ubuntu-linux-1804-l1"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "credativ"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Debian"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "7*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Suse"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "SLES*"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "11*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "12*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-dsvm"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "linux-data-science-vm-ubuntu",
                      "azureml"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-altus-centos-os"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "linux*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                        "exists": "true"
                      },
                      {
                        "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                        "like": "Linux*"
                      }
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "exists": "false"
                      },
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "notIn": [
                          "OpenLogic",
                          "RedHat",
                          "credativ",
                          "Suse",
                          "Canonical",
                          "microsoft-dsvm",
                          "cloudera",
                          "microsoft-ads",
                          "center-for-internet-security-inc",
                          "Oracle"
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "name": "AzurePolicyforLinux",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.GuestConfiguration"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "ConfigurationforLinux"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/faf25c8c-9598-4305-b4de-0aee1317fb31",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "faf25c8c-9598-4305-b4de-0aee1317fb31"
}
BuiltIn Guest Configuration True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit missing blob encryption for storage accounts",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy is no longer necessary because storage blob encryption is enabled by default and cannot be turned off.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "not": {
              "field": "Microsoft.Storage/storageAccounts/enableBlobEncryption",
              "equals": "True"
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "655cb504-bcee-4362-bd4c-402e6aa38759"
}
BuiltIn Security Center True False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit SQL DB Level Audit Setting",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Audit DB level audit setting for SQL databases",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "SQL",
      "deprecated": true
    },
    "parameters": {
      "setting": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Setting"
        },
        "allowedValues": [
          "enabled",
          "disabled"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers/databases"
          },
          {
            "field": "name",
            "notEquals": "master"
          }
        ]
      },
      "then": {
        "effect": "AuditIfNotExists",
        "details": {
          "type": "Microsoft.Sql/servers/databases/auditingSettings",
          "name": "default",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Sql/auditingSettings.state",
                "equals": "[parameters('setting')]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "06a78e20-9358-41c9-923c-fb736d382a12"
}
BuiltIn SQL True False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Web Applications that are not using custom domains",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use of custom domains protects a web application from common attacks such as phishing and other DNS-related attacks.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "app"
              },
              {
                "field": "kind",
                "equals": "WebApp"
              },
              {
                "field": "kind",
                "equals": "app,linux"
              },
              {
                "field": "kind",
                "equals": "app,linux,container"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "UsedCustomDomains",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "dd2ea520-6b06-45c3-806e-ea297c23e06a"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Web Applications that are not using latest supported .NET Framework",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use the latest supported .NET Framework version for the latest security classes. Using older classes and types can make your application vulnerable.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "app"
              },
              {
                "field": "kind",
                "equals": "WebApp"
              },
              {
                "field": "kind",
                "equals": "app,linux"
              },
              {
                "field": "kind",
                "equals": "app,linux,container"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "UseLatestDotNet",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5e3315e0-a414-4efb-a4d2-c7bd2b0443d2"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Web Applications that are not using latest supported Java Framework",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use the latest supported Java version for the latest security classes. Using older classes and types can make your application vulnerable.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "app"
              },
              {
                "field": "kind",
                "equals": "WebApp"
              },
              {
                "field": "kind",
                "equals": "app,linux"
              },
              {
                "field": "kind",
                "equals": "app,linux,container"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "UseLatestJava",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "be0a7681-bed4-48dc-9ff3-f0171ee170b6"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Web Applications that are not using latest supported Node.js Framework",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use the latest supported Node.js version for the latest security classes. Using older classes and types can make your application vulnerable.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "app,linux"
              },
              {
                "field": "kind",
                "equals": "app,linux,container"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "UseLatestNodeJS",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e67687e8-08d5-4e7f-8226-5b4753bba008"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Web Applications that are not using latest supported PHP Framework",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use the latest supported PHP version for the latest security classes. Using older classes and types can make your application vulnerable.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "app"
              },
              {
                "field": "kind",
                "equals": "WebApp"
              },
              {
                "field": "kind",
                "equals": "app,linux"
              },
              {
                "field": "kind",
                "equals": "app,linux,container"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "UseLatestPHP",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "08b17839-76c6-4015-90e0-33d9d54d219c"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Web Applications that are not using latest supported Python Framework",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use the latest supported Python version for the latest security classes. Using older classes and types can make your application vulnerable.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "app"
              },
              {
                "field": "kind",
                "equals": "WebApp"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "UseLatestPython",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "46544d7b-1f0d-46f5-81da-5c1351de1b06"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Web Sockets state for a Function App",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "The Web Sockets protocol is vulnerable to different types of security threats. Use of Web Sockets within an Function app must be carefully reviewed.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "functionapp"
              },
              {
                "field": "kind",
                "equals": "functionapp,linux"
              },
              {
                "field": "kind",
                "equals": "functionapp,linux,container"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "DisableWebSockets",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "001802d1-4969-4c82-a700-c29c6c6f9bbd"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Web Sockets state for a Web Application",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "The Web Sockets protocol is vulnerable to different types of security threats. Use of Web Sockets within a web application must be carefully reviewed.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "app"
              },
              {
                "field": "kind",
                "equals": "WebApp"
              },
              {
                "field": "kind",
                "equals": "app,linux"
              },
              {
                "field": "kind",
                "equals": "app,linux,container"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "DisableWebSockets",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e797f851-8be7-4c40-bb56-2e3395215b0e"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Web Sockets state for an API App",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "The Web Sockets protocol is vulnerable to different types of security threats. Use of Web Sockets within an API app must be carefully reviewed.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "api"
              },
              {
                "field": "kind",
                "equals": "apiApp"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "DisableWebSockets",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b48334a4-911b-4084-b1ab-3e6a4e50b951"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol.",
    "metadata": {
      "version": "2.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imagePublisher",
                "in": [
                  "esri",
                  "incredibuild",
                  "MicrosoftDynamicsAX",
                  "MicrosoftSharepoint",
                  "MicrosoftVisualStudio",
                  "MicrosoftWindowsDesktop",
                  "MicrosoftWindowsServerHPCPack"
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "2008*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "notLike": "SQL2008*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-dsvm"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "dsvm-windows"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "standard-data-science-vm",
                      "windows-data-science-vm"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "batch"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "rendering-windows2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "center-for-internet-security-inc"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "cis-windows-server-201*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "pivotal"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "bosh-windows-server*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloud-infrastructure-services"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "ad*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                        "exists": "true"
                      },
                      {
                        "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                        "like": "Windows*"
                      }
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "exists": "false"
                      },
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "notLike": "2008*"
                          },
                          {
                            "field": "Microsoft.Compute/imageOffer",
                            "notLike": "SQL2008*"
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "name": "AzurePolicyforWindows",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.GuestConfiguration"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "ConfigurationforWindows"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5fc23db3-dd4d-4c56-bcc7-43626243e601"
}
BuiltIn Guest Configuration True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Automatic provisioning of security monitoring agent",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Installs security agent on VMs for advanced security alerts and preventions in Azure Security Center. Applies only for subscriptions that use Azure Security Center.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "AuditIfNotExists",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "securityAgent",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "abcc6037-1fc4-47f6-aac5-89706589be24"
}
BuiltIn Security Center True False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Cognitive Services accounts should enable data encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy is deprecated. Cognitive Services have data encryption enforced.",
    "metadata": {
      "version": "2.0.0-deprecated",
      "category": "Cognitive Services",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.CognitiveServices/accounts"
          },
          {
            "field": "Microsoft.CognitiveServices/accounts/encryption.keySource",
            "exists": "false"
          },
          {
            "field": "Microsoft.CognitiveServices/accounts/encryption",
            "exists": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2bdd0062-9d75-436e-89df-487dd8e4b3c7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2bdd0062-9d75-436e-89df-487dd8e4b3c7"
}
BuiltIn Cognitive Services True False n/a n/a Disabled false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption.",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy is deprecated. Cognitive Services have data encryption enforced.",
    "metadata": {
      "version": "2.0.0-deprecated",
      "category": "Cognitive Services",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.CognitiveServices/accounts"
          },
          {
            "count": {
              "field": "Microsoft.CognitiveServices/accounts/userOwnedStorage[*]"
            },
            "less": 1
          },
          {
            "field": "Microsoft.CognitiveServices/accounts/encryption.keySource",
            "exists": "false"
          },
          {
            "field": "Microsoft.CognitiveServices/accounts/encryption",
            "exists": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/11566b39-f7f7-4b82-ab06-68d8700eb0a4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "11566b39-f7f7-4b82-ab06-68d8700eb0a4"
}
BuiltIn Cognitive Services True False n/a n/a Disabled false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the selected Log Analytics workspace",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Compute",
      "deprecated": true
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/imagePublisher",
            "equals": "Canonical"
          },
          {
            "field": "Microsoft.Compute/imageOffer",
            "equals": "UbuntuServer"
          },
          {
            "field": "Microsoft.Compute/imageSKU",
            "in": [
              "18.04-LTS",
              "16.04-LTS",
              "16.04.0-LTS",
              "14.04.2-LTS",
              "12.04.5-LTS"
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "OmsAgentForLinux"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.EnterpriseCloud.Monitoring"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('vmName'),'/omsPolicy')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "apiVersion": "2017-12-01",
                    "properties": {
                      "publisher": "Microsoft.EnterpriseCloud.Monitoring",
                      "type": "OmsAgentForLinux",
                      "typeHandlerVersion": "1.4",
                      "autoUpgradeMinorVersion": true,
                      "settings": {
                        "workspaceId": "[reference(parameters('logAnalytics'), '2015-03-20').customerId]"
                      },
                      "protectedSettings": {
                        "workspaceKey": "[listKeys(parameters('logAnalytics'), '2015-03-20').primarySharedKey]"
                      }
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled monitoring for Linux VM', ': ', parameters('vmName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3d8640fc-63f6-4734-8dcb-cfd3d8c78f38"
}
BuiltIn Compute True False n/a n/a n/a false 0 n/a false 0 n/a 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "3.0.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "PasswordPolicy_msid110",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "PasswordPolicy_msid110"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforLinux')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforLinux",
                      "typeHandlerVersion": "1.0",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ec49586f-4939-402d-a29e-6ff502b20592"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "3.0.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "PasswordPolicy_msid121",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "PasswordPolicy_msid121"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforLinux')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforLinux",
                      "typeHandlerVersion": "1.0",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f19aa1c1-6b91-4c27-ae6a-970279f03db9"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "3.0.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "ApplicationName": {
        "type": "String",
        "metadata": {
          "displayName": "Application names",
          "description": "A semicolon-separated list of the names of the applications that should be installed. e.g. 'python; powershell'"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "installed_application_linux",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent', '=', concat('packages: [', replace(parameters('ApplicationName'), ';', ','), ']')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "installed_application_linux"
                },
                "ApplicationName": {
                  "value": "[parameters('ApplicationName')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "ApplicationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent",
                            "value": "[concat('packages: [', replace(parameters('ApplicationName'), ';', ','), ']')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent",
                            "value": "[concat('packages: [', replace(parameters('ApplicationName'), ';', ','), ']')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforLinux')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforLinux",
                      "typeHandlerVersion": "1.0",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4d1c04de-2172-403f-901b-90608c35c721"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Linux VMs that do not have the specified applications installed (/providers/microsoft.authorization/policysetdefinitions/c937dcb4-4398-4b39-8d63-4a6be432252e) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "3.0.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "PasswordPolicy_msid232",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "PasswordPolicy_msid232"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforLinux')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforLinux",
                      "typeHandlerVersion": "1.0",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3470477a-b35a-49db-aca5-1073d04524fe"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "3.0.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "ApplicationName": {
        "type": "String",
        "metadata": {
          "displayName": "Application names",
          "description": "A semicolon-separated list of the names of the applications that should not be installed. e.g. 'python; powershell'"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "not_installed_application_linux",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent', '=', concat('packages: [', replace(parameters('ApplicationName'), ';', ','), ']')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "not_installed_application_linux"
                },
                "ApplicationName": {
                  "value": "[parameters('ApplicationName')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "ApplicationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent",
                            "value": "[concat('packages: [', replace(parameters('ApplicationName'), ';', ','), ']')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent",
                            "value": "[concat('packages: [', replace(parameters('ApplicationName'), ';', ','), ']')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforLinux')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforLinux",
                      "typeHandlerVersion": "1.0",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "884b209a-963b-4520-8006-d20cb3c213e0"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Linux VMs that have the specified applications installed (/providers/microsoft.authorization/policysetdefinitions/f48bcc78-5400-4fb0-b913-5140a2e5fa20) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "EMSPortNumber": {
        "type": "String",
        "metadata": {
          "displayName": "EMS Port Number",
          "description": "An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more information on EMS settings, please visit https://aka.ms/gcpolwsc"
        },
        "allowedValues": [
          "1",
          "2",
          "3",
          "4"
        ],
        "defaultValue": "1"
      },
      "EMSBaudRate": {
        "type": "String",
        "metadata": {
          "displayName": "EMS Baud Rate",
          "description": "An integer indicating the baud rate to be used for the Emergency Management Services (EMS) console redirection. For more information on EMS settings, please visit https://aka.ms/gcpolwsc"
        },
        "allowedValues": [
          "9600",
          "19200",
          "38400",
          "57600",
          "115200"
        ],
        "defaultValue": "115200"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsSerialConsole",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber', '=', parameters('EMSPortNumber'), ',', '[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate', '=', parameters('EMSBaudRate')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "WindowsSerialConsole"
                },
                "EMSPortNumber": {
                  "value": "[parameters('EMSPortNumber')]"
                },
                "EMSBaudRate": {
                  "value": "[parameters('EMSBaudRate')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "EMSPortNumber": {
                    "type": "string"
                  },
                  "EMSBaudRate": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber",
                            "value": "[parameters('EMSPortNumber')]"
                          },
                          {
                            "name": "[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate",
                            "value": "[parameters('EMSBaudRate')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber",
                            "value": "[parameters('EMSPortNumber')]"
                          },
                          {
                            "name": "[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate",
                            "value": "[parameters('EMSBaudRate')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7a031c68-d6ab-406e-a506-697a19c634b0"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows Server VMs on which Windows Serial Console is not enabled (/providers/microsoft.authorization/policysetdefinitions/acb6cd8e-45f5-466f-b3cb-ff6fce525f71) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_AdministrativeTemplatesControlPanel",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_AdministrativeTemplatesControlPanel"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ec7ac234-2af5-4729-94d2-c557c071799d"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_AdminstrativeTemplatesMSSLegacy",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_AdminstrativeTemplatesMSSLegacy"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f1f4825d-58fb-4257-8016-8c00e3c9ed9d"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.1.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "EnableInsecureGuestLogons": {
        "type": "String",
        "metadata": {
          "displayName": "Enable insecure guest logons",
          "description": "Specifies whether the SMB client will allow insecure guest logons to an SMB server."
        },
        "defaultValue": "0"
      },
      "AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain": {
        "type": "String",
        "metadata": {
          "displayName": "Allow simultaneous connections to the Internet or a Windows Domain",
          "description": "Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous connections, and a value of 1 blocks them."
        },
        "defaultValue": "1"
      },
      "TurnOffMulticastNameResolution": {
        "type": "String",
        "metadata": {
          "displayName": "Turn off multicast name resolution",
          "description": "Specifies whether LLMNR, a secondary name resolution protocol that transmits using multicast over a local subnet link on a single subnet, is enabled."
        },
        "defaultValue": "1"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_AdministrativeTemplatesNetwork",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Enable insecure guest logons;ExpectedValue', '=', parameters('EnableInsecureGuestLogons'), ',', 'Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue', '=', parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'), ',', 'Turn off multicast name resolution;ExpectedValue', '=', parameters('TurnOffMulticastNameResolution')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_AdministrativeTemplatesNetwork"
                },
                "EnableInsecureGuestLogons": {
                  "value": "[parameters('EnableInsecureGuestLogons')]"
                },
                "AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain": {
                  "value": "[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]"
                },
                "TurnOffMulticastNameResolution": {
                  "value": "[parameters('TurnOffMulticastNameResolution')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "EnableInsecureGuestLogons": {
                    "type": "string"
                  },
                  "AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain": {
                    "type": "string"
                  },
                  "TurnOffMulticastNameResolution": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Enable insecure guest logons;ExpectedValue",
                            "value": "[parameters('EnableInsecureGuestLogons')]"
                          },
                          {
                            "name": "Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue",
                            "value": "[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]"
                          },
                          {
                            "name": "Turn off multicast name resolution;ExpectedValue",
                            "value": "[parameters('TurnOffMulticastNameResolution')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Enable insecure guest logons;ExpectedValue",
                            "value": "[parameters('EnableInsecureGuestLogons')]"
                          },
                          {
                            "name": "Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue",
                            "value": "[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]"
                          },
                          {
                            "name": "Turn off multicast name resolution;ExpectedValue",
                            "value": "[parameters('TurnOffMulticastNameResolution')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "985285b7-b97a-419c-8d48-c88cc934c8d8"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "AlwaysUseClassicLogon": {
        "type": "String",
        "metadata": {
          "displayName": "Always use classic logon",
          "description": "Specifies whether to force the user to log on to the computer using the classic logon screen. This setting only works when the computer is not on a domain."
        },
        "defaultValue": "0"
      },
      "BootStartDriverInitializationPolicy": {
        "type": "String",
        "metadata": {
          "displayName": "Boot-Start Driver Initialization Policy",
          "description": "Specifies which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver."
        },
        "defaultValue": "3"
      },
      "EnableWindowsNTPClient": {
        "type": "String",
        "metadata": {
          "displayName": "Enable Windows NTP Client",
          "description": "Specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers."
        },
        "defaultValue": "1"
      },
      "TurnOnConveniencePINSignin": {
        "type": "String",
        "metadata": {
          "displayName": "Turn on convenience PIN sign-in",
          "description": "Specifies whether a domain user can sign in using a convenience PIN."
        },
        "defaultValue": "0"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_AdministrativeTemplatesSystem",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Always use classic logon;ExpectedValue', '=', parameters('AlwaysUseClassicLogon'), ',', 'Boot-Start Driver Initialization Policy;ExpectedValue', '=', parameters('BootStartDriverInitializationPolicy'), ',', 'Enable Windows NTP Client;ExpectedValue', '=', parameters('EnableWindowsNTPClient'), ',', 'Turn on convenience PIN sign-in;ExpectedValue', '=', parameters('TurnOnConveniencePINSignin')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_AdministrativeTemplatesSystem"
                },
                "AlwaysUseClassicLogon": {
                  "value": "[parameters('AlwaysUseClassicLogon')]"
                },
                "BootStartDriverInitializationPolicy": {
                  "value": "[parameters('BootStartDriverInitializationPolicy')]"
                },
                "EnableWindowsNTPClient": {
                  "value": "[parameters('EnableWindowsNTPClient')]"
                },
                "TurnOnConveniencePINSignin": {
                  "value": "[parameters('TurnOnConveniencePINSignin')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "AlwaysUseClassicLogon": {
                    "type": "string"
                  },
                  "BootStartDriverInitializationPolicy": {
                    "type": "string"
                  },
                  "EnableWindowsNTPClient": {
                    "type": "string"
                  },
                  "TurnOnConveniencePINSignin": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Always use classic logon;ExpectedValue",
                            "value": "[parameters('AlwaysUseClassicLogon')]"
                          },
                          {
                            "name": "Boot-Start Driver Initialization Policy;ExpectedValue",
                            "value": "[parameters('BootStartDriverInitializationPolicy')]"
                          },
                          {
                            "name": "Enable Windows NTP Client;ExpectedValue",
                            "value": "[parameters('EnableWindowsNTPClient')]"
                          },
                          {
                            "name": "Turn on convenience PIN sign-in;ExpectedValue",
                            "value": "[parameters('TurnOnConveniencePINSignin')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Always use classic logon;ExpectedValue",
                            "value": "[parameters('AlwaysUseClassicLogon')]"
                          },
                          {
                            "name": "Boot-Start Driver Initialization Policy;ExpectedValue",
                            "value": "[parameters('BootStartDriverInitializationPolicy')]"
                          },
                          {
                            "name": "Enable Windows NTP Client;ExpectedValue",
                            "value": "[parameters('EnableWindowsNTPClient')]"
                          },
                          {
                            "name": "Turn on convenience PIN sign-in;ExpectedValue",
                            "value": "[parameters('TurnOnConveniencePINSignin')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "40917425-69db-4018-8dae-2a0556cef899"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "AccountsGuestAccountStatus": {
        "type": "String",
        "metadata": {
          "displayName": "Accounts: Guest account status",
          "description": "Specifies whether the local Guest account is disabled."
        },
        "defaultValue": "0"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsAccounts",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Accounts: Guest account status;ExpectedValue', '=', parameters('AccountsGuestAccountStatus')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SecurityOptionsAccounts"
                },
                "AccountsGuestAccountStatus": {
                  "value": "[parameters('AccountsGuestAccountStatus')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "AccountsGuestAccountStatus": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Accounts: Guest account status;ExpectedValue",
                            "value": "[parameters('AccountsGuestAccountStatus')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Accounts: Guest account status;ExpectedValue",
                            "value": "[parameters('AccountsGuestAccountStatus')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e5b81f87-9185-4224-bf00-9f505e9f89f3"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": {
        "type": "String",
        "metadata": {
          "displayName": "Audit: Shut down system immediately if unable to log security audits",
          "description": "Audits if the system will shut down when unable to log Security events."
        },
        "defaultValue": "0"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsAudit",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Audit: Shut down system immediately if unable to log security audits;ExpectedValue', '=', parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SecurityOptionsAudit"
                },
                "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": {
                  "value": "[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Audit: Shut down system immediately if unable to log security audits;ExpectedValue",
                            "value": "[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Audit: Shut down system immediately if unable to log security audits;ExpectedValue",
                            "value": "[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "498b810c-59cd-4222-9338-352ba146ccf3"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "DevicesAllowedToFormatAndEjectRemovableMedia": {
        "type": "String",
        "metadata": {
          "displayName": "Devices: Allowed to format and eject removable media",
          "description": "Specifies who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges."
        },
        "defaultValue": "0"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsDevices",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Devices: Allowed to format and eject removable media;ExpectedValue', '=', parameters('DevicesAllowedToFormatAndEjectRemovableMedia')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SecurityOptionsDevices"
                },
                "DevicesAllowedToFormatAndEjectRemovableMedia": {
                  "value": "[parameters('DevicesAllowedToFormatAndEjectRemovableMedia')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "DevicesAllowedToFormatAndEjectRemovableMedia": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Devices: Allowed to format and eject removable media;ExpectedValue",
                            "value": "[parameters('DevicesAllowedToFormatAndEjectRemovableMedia')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Devices: Allowed to format and eject removable media;ExpectedValue",
                            "value": "[parameters('DevicesAllowedToFormatAndEjectRemovableMedia')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6481cc21-ed6e-4480-99dd-ea7c5222e897"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsInteractiveLogon",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SecurityOptionsInteractiveLogon"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3750712b-43d0-478e-9966-d2c26f6141b9"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "MicrosoftNetworkClientDigitallySignCommunicationsAlways": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network client: Digitally sign communications (always)",
          "description": "Specifies whether packet signing is required by the SMB client component."
        },
        "defaultValue": "1"
      },
      "MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network client: Send unencrypted password to third-party SMB servers",
          "description": "Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it."
        },
        "defaultValue": "0"
      },
      "MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Amount of idle time required before suspending session",
          "description": "Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is two integers separated by a comma, denoting an inclusive range."
        },
        "defaultValue": "1,15"
      },
      "MicrosoftNetworkServerDigitallySignCommunicationsAlways": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Digitally sign communications (always)",
          "description": "Specifies whether packet signing is required by the SMB server component."
        },
        "defaultValue": "1"
      },
      "MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Disconnect clients when logon hours expire",
          "description": "Specifies whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable 'Network security: Force logoff when logon hours expire'"
        },
        "defaultValue": "1"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsMicrosoftNetworkClient",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Microsoft network client: Digitally sign communications (always);ExpectedValue', '=', parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways'), ',', 'Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue', '=', parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'), ',', 'Microsoft network server: Amount of idle time required before suspending session;ExpectedValue', '=', parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'), ',', 'Microsoft network server: Digitally sign communications (always);ExpectedValue', '=', parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways'), ',', 'Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue', '=', parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SecurityOptionsMicrosoftNetworkClient"
                },
                "MicrosoftNetworkClientDigitallySignCommunicationsAlways": {
                  "value": "[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]"
                },
                "MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": {
                  "value": "[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]"
                },
                "MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": {
                  "value": "[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]"
                },
                "MicrosoftNetworkServerDigitallySignCommunicationsAlways": {
                  "value": "[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]"
                },
                "MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire": {
                  "value": "[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "MicrosoftNetworkClientDigitallySignCommunicationsAlways": {
                    "type": "string"
                  },
                  "MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": {
                    "type": "string"
                  },
                  "MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": {
                    "type": "string"
                  },
                  "MicrosoftNetworkServerDigitallySignCommunicationsAlways": {
                    "type": "string"
                  },
                  "MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Microsoft network client: Digitally sign communications (always);ExpectedValue",
                            "value": "[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]"
                          },
                          {
                            "name": "Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue",
                            "value": "[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]"
                          },
                          {
                            "name": "Microsoft network server: Amount of idle time required before suspending session;ExpectedValue",
                            "value": "[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]"
                          },
                          {
                            "name": "Microsoft network server: Digitally sign communications (always);ExpectedValue",
                            "value": "[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]"
                          },
                          {
                            "name": "Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue",
                            "value": "[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Microsoft network client: Digitally sign communications (always);ExpectedValue",
                            "value": "[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]"
                          },
                          {
                            "name": "Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue",
                            "value": "[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]"
                          },
                          {
                            "name": "Microsoft network server: Amount of idle time required before suspending session;ExpectedValue",
                            "value": "[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]"
                          },
                          {
                            "name": "Microsoft network server: Digitally sign communications (always);ExpectedValue",
                            "value": "[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]"
                          },
                          {
                            "name": "Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue",
                            "value": "[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bbcdd8fa-b600-4ee3-85b8-d184e3339652"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsMicrosoftNetworkServer",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SecurityOptionsMicrosoftNetworkServer"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "86880e5c-df35-43c5-95ad-7e120635775e"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "NetworkAccessRemotelyAccessibleRegistryPaths": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Remotely accessible registry paths",
          "description": "Specifies which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"
      },
      "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Remotely accessible registry paths and sub-paths",
          "description": "Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"
      },
      "NetworkAccessSharesThatCanBeAccessedAnonymously": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Shares that can be accessed anonymously",
          "description": "Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server."
        },
        "defaultValue": "0"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsNetworkAccess",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Network access: Remotely accessible registry paths;ExpectedValue', '=', parameters('NetworkAccessRemotelyAccessibleRegistryPaths'), ',', 'Network access: Remotely accessible registry paths and sub-paths;ExpectedValue', '=', parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'), ',', 'Network access: Shares that can be accessed anonymously;ExpectedValue', '=', parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SecurityOptionsNetworkAccess"
                },
                "NetworkAccessRemotelyAccessibleRegistryPaths": {
                  "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]"
                },
                "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
                  "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]"
                },
                "NetworkAccessSharesThatCanBeAccessedAnonymously": {
                  "value": "[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "NetworkAccessRemotelyAccessibleRegistryPaths": {
                    "type": "string"
                  },
                  "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
                    "type": "string"
                  },
                  "NetworkAccessSharesThatCanBeAccessedAnonymously": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Network access: Remotely accessible registry paths;ExpectedValue",
                            "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]"
                          },
                          {
                            "name": "Network access: Remotely accessible registry paths and sub-paths;ExpectedValue",
                            "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]"
                          },
                          {
                            "name": "Network access: Shares that can be accessed anonymously;ExpectedValue",
                            "value": "[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Network access: Remotely accessible registry paths;ExpectedValue",
                            "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]"
                          },
                          {
                            "name": "Network access: Remotely accessible registry paths and sub-paths;ExpectedValue",
                            "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]"
                          },
                          {
                            "name": "Network access: Shares that can be accessed anonymously;ExpectedValue",
                            "value": "[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f56a3ab2-89d1-44de-ac0d-2ada5962e22a"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "NetworkSecurityConfigureEncryptionTypesAllowedForKerberos": {
        "type": "String",
        "metadata": {
          "displayName": "Network Security: Configure encryption types allowed for Kerberos",
          "description": "Specifies the encryption types that Kerberos is allowed to use."
        },
        "defaultValue": "2147483644"
      },
      "NetworkSecurityLANManagerAuthenticationLevel": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: LAN Manager authentication level",
          "description": "Specify which challenge-response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers."
        },
        "defaultValue": "5"
      },
      "NetworkSecurityLDAPClientSigningRequirements": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: LDAP client signing requirements",
          "description": "Specify the level of data signing that is requested on behalf of clients that issue LDAP BIND requests."
        },
        "defaultValue": "1"
      },
      "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",
          "description": "Specifies which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers for more information."
        },
        "defaultValue": "537395200"
      },
      "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",
          "description": "Specifies which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services."
        },
        "defaultValue": "537395200"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsNetworkSecurity",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Network Security: Configure encryption types allowed for Kerberos;ExpectedValue', '=', parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'), ',', 'Network security: LAN Manager authentication level;ExpectedValue', '=', parameters('NetworkSecurityLANManagerAuthenticationLevel'), ',', 'Network security: LDAP client signing requirements;ExpectedValue', '=', parameters('NetworkSecurityLDAPClientSigningRequirements'), ',', 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue', '=', parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'), ',', 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers;ExpectedValue', '=', parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SecurityOptionsNetworkSecurity"
                },
                "NetworkSecurityConfigureEncryptionTypesAllowedForKerberos": {
                  "value": "[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos')]"
                },
                "NetworkSecurityLANManagerAuthenticationLevel": {
                  "value": "[parameters('NetworkSecurityLANManagerAuthenticationLevel')]"
                },
                "NetworkSecurityLDAPClientSigningRequirements": {
                  "value": "[parameters('NetworkSecurityLDAPClientSigningRequirements')]"
                },
                "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients": {
                  "value": "[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients')]"
                },
                "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers": {
                  "value": "[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "NetworkSecurityConfigureEncryptionTypesAllowedForKerberos": {
                    "type": "string"
                  },
                  "NetworkSecurityLANManagerAuthenticationLevel": {
                    "type": "string"
                  },
                  "NetworkSecurityLDAPClientSigningRequirements": {
                    "type": "string"
                  },
                  "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients": {
                    "type": "string"
                  },
                  "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Network Security: Configure encryption types allowed for Kerberos;ExpectedValue",
                            "value": "[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos')]"
                          },
                          {
                            "name": "Network security: LAN Manager authentication level;ExpectedValue",
                            "value": "[parameters('NetworkSecurityLANManagerAuthenticationLevel')]"
                          },
                          {
                            "name": "Network security: LDAP client signing requirements;ExpectedValue",
                            "value": "[parameters('NetworkSecurityLDAPClientSigningRequirements')]"
                          },
                          {
                            "name": "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue",
                            "value": "[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients')]"
                          },
                          {
                            "name": "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers;ExpectedValue",
                            "value": "[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Network Security: Configure encryption types allowed for Kerberos;ExpectedValue",
                            "value": "[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos')]"
                          },
                          {
                            "name": "Network security: LAN Manager authentication level;ExpectedValue",
                            "value": "[parameters('NetworkSecurityLANManagerAuthenticationLevel')]"
                          },
                          {
                            "name": "Network security: LDAP client signing requirements;ExpectedValue",
                            "value": "[parameters('NetworkSecurityLDAPClientSigningRequirements')]"
                          },
                          {
                            "name": "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue",
                            "value": "[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients')]"
                          },
                          {
                            "name": "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers;ExpectedValue",
                            "value": "[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "36e17963-7202-494a-80c3-f508211c826b"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": {
        "type": "String",
        "metadata": {
          "displayName": "Recovery console: Allow floppy copy and access to all drives and all folders",
          "description": "Specifies whether to make the Recovery Console SET command available, which allows setting of recovery console environment variables."
        },
        "defaultValue": "0"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsRecoveryconsole",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Recovery console: Allow floppy copy and access to all drives and all folders;ExpectedValue', '=', parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SecurityOptionsRecoveryconsole"
                },
                "RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": {
                  "value": "[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Recovery console: Allow floppy copy and access to all drives and all folders;ExpectedValue",
                            "value": "[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Recovery console: Allow floppy copy and access to all drives and all folders;ExpectedValue",
                            "value": "[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn": {
        "type": "String",
        "metadata": {
          "displayName": "Shutdown: Allow system to be shut down without having to log on",
          "description": "Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen."
        },
        "defaultValue": "0"
      },
      "ShutdownClearVirtualMemoryPagefile": {
        "type": "String",
        "metadata": {
          "displayName": "Shutdown: Clear virtual memory pagefile",
          "description": "Specifies whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properly. For systems with large amounts of RAM, this could result in substantial time needed to complete the shutdown."
        },
        "defaultValue": "0"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsShutdown",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Shutdown: Allow system to be shut down without having to log on;ExpectedValue', '=', parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'), ',', 'Shutdown: Clear virtual memory pagefile;ExpectedValue', '=', parameters('ShutdownClearVirtualMemoryPagefile')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SecurityOptionsShutdown"
                },
                "ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn": {
                  "value": "[parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn')]"
                },
                "ShutdownClearVirtualMemoryPagefile": {
                  "value": "[parameters('ShutdownClearVirtualMemoryPagefile')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn": {
                    "type": "string"
                  },
                  "ShutdownClearVirtualMemoryPagefile": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Shutdown: Allow system to be shut down without having to log on;ExpectedValue",
                            "value": "[parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn')]"
                          },
                          {
                            "name": "Shutdown: Clear virtual memory pagefile;ExpectedValue",
                            "value": "[parameters('ShutdownClearVirtualMemoryPagefile')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Shutdown: Allow system to be shut down without having to log on;ExpectedValue",
                            "value": "[parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn')]"
                          },
                          {
                            "name": "Shutdown: Clear virtual memory pagefile;ExpectedValue",
                            "value": "[parameters('ShutdownClearVirtualMemoryPagefile')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1f8c20ce-3414-4496-8b26-0e902a1541da"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsSystemobjects",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SecurityOptionsSystemobjects"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "12ae2d24-3805-4b37-9fa9-465968bfbcfa"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies": {
        "type": "String",
        "metadata": {
          "displayName": "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies",
          "description": "Specifies whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). For certificate rules to take effect in software restriction policies, you must enable this policy setting."
        },
        "defaultValue": "1"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsSystemsettings",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies;ExpectedValue', '=', parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SecurityOptionsSystemsettings"
                },
                "SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies": {
                  "value": "[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies;ExpectedValue",
                            "value": "[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies;ExpectedValue",
                            "value": "[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "437a1f8f-8552-47a8-8b12-a2fee3269dd5"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "UACAdminApprovalModeForTheBuiltinAdministratorAccount": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Admin Approval Mode for the Built-in Administrator account",
          "description": "Specifies the behavior of Admin Approval Mode for the built-in Administrator account."
        },
        "defaultValue": "1"
      },
      "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode",
          "description": "Specifies the behavior of the elevation prompt for administrators."
        },
        "defaultValue": "2"
      },
      "UACDetectApplicationInstallationsAndPromptForElevation": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Detect application installations and prompt for elevation",
          "description": "Specifies the behavior of application installation detection for the computer."
        },
        "defaultValue": "1"
      },
      "UACRunAllAdministratorsInAdminApprovalMode": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Run all administrators in Admin Approval Mode",
          "description": "Specifies the behavior of all User Account Control (UAC) policy settings for the computer."
        },
        "defaultValue": "1"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsUserAccountControl",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue', '=', parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount'), ',', 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue', '=', parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'), ',', 'User Account Control: Detect application installations and prompt for elevation;ExpectedValue', '=', parameters('UACDetectApplicationInstallationsAndPromptForElevation'), ',', 'User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue', '=', parameters('UACRunAllAdministratorsInAdminApprovalMode')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SecurityOptionsUserAccountControl"
                },
                "UACAdminApprovalModeForTheBuiltinAdministratorAccount": {
                  "value": "[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount')]"
                },
                "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": {
                  "value": "[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]"
                },
                "UACDetectApplicationInstallationsAndPromptForElevation": {
                  "value": "[parameters('UACDetectApplicationInstallationsAndPromptForElevation')]"
                },
                "UACRunAllAdministratorsInAdminApprovalMode": {
                  "value": "[parameters('UACRunAllAdministratorsInAdminApprovalMode')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "UACAdminApprovalModeForTheBuiltinAdministratorAccount": {
                    "type": "string"
                  },
                  "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": {
                    "type": "string"
                  },
                  "UACDetectApplicationInstallationsAndPromptForElevation": {
                    "type": "string"
                  },
                  "UACRunAllAdministratorsInAdminApprovalMode": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue",
                            "value": "[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount')]"
                          },
                          {
                            "name": "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue",
                            "value": "[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]"
                          },
                          {
                            "name": "User Account Control: Detect application installations and prompt for elevation;ExpectedValue",
                            "value": "[parameters('UACDetectApplicationInstallationsAndPromptForElevation')]"
                          },
                          {
                            "name": "User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue",
                            "value": "[parameters('UACRunAllAdministratorsInAdminApprovalMode')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue",
                            "value": "[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount')]"
                          },
                          {
                            "name": "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue",
                            "value": "[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]"
                          },
                          {
                            "name": "User Account Control: Detect application installations and prompt for elevation;ExpectedValue",
                            "value": "[parameters('UACDetectApplicationInstallationsAndPromptForElevation')]"
                          },
                          {
                            "name": "User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue",
                            "value": "[parameters('UACRunAllAdministratorsInAdminApprovalMode')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e425e402-a050-45e5-b010-bd3f934589fc"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "EnforcePasswordHistory": {
        "type": "String",
        "metadata": {
          "displayName": "Enforce password history",
          "description": "Specifies limits on password reuse - how many times a new password must be created for a user account before the password can be repeated."
        },
        "defaultValue": "24"
      },
      "MaximumPasswordAge": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum password age",
          "description": "Specifies the maximum number of days that may elapse before a user account password must be changed. The format of the value is two integers separated by a comma, denoting an inclusive range."
        },
        "defaultValue": "1,70"
      },
      "MinimumPasswordAge": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password age",
          "description": "Specifies the minimum number of days that must elapse before a user account password can be changed."
        },
        "defaultValue": "1"
      },
      "MinimumPasswordLength": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password length",
          "description": "Specifies the minimum number of characters that a user account password may contain."
        },
        "defaultValue": "14"
      },
      "PasswordMustMeetComplexityRequirements": {
        "type": "String",
        "metadata": {
          "displayName": "Password must meet complexity requirements",
          "description": "Specifies whether a user account password must be complex. If required, a complex password must not contain part of  user's account name or full name; be at least 6 characters long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."
        },
        "defaultValue": "1"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecuritySettingsAccountPolicies",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Enforce password history;ExpectedValue', '=', parameters('EnforcePasswordHistory'), ',', 'Maximum password age;ExpectedValue', '=', parameters('MaximumPasswordAge'), ',', 'Minimum password age;ExpectedValue', '=', parameters('MinimumPasswordAge'), ',', 'Minimum password length;ExpectedValue', '=', parameters('MinimumPasswordLength'), ',', 'Password must meet complexity requirements;ExpectedValue', '=', parameters('PasswordMustMeetComplexityRequirements')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SecuritySettingsAccountPolicies"
                },
                "EnforcePasswordHistory": {
                  "value": "[parameters('EnforcePasswordHistory')]"
                },
                "MaximumPasswordAge": {
                  "value": "[parameters('MaximumPasswordAge')]"
                },
                "MinimumPasswordAge": {
                  "value": "[parameters('MinimumPasswordAge')]"
                },
                "MinimumPasswordLength": {
                  "value": "[parameters('MinimumPasswordLength')]"
                },
                "PasswordMustMeetComplexityRequirements": {
                  "value": "[parameters('PasswordMustMeetComplexityRequirements')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "EnforcePasswordHistory": {
                    "type": "string"
                  },
                  "MaximumPasswordAge": {
                    "type": "string"
                  },
                  "MinimumPasswordAge": {
                    "type": "string"
                  },
                  "MinimumPasswordLength": {
                    "type": "string"
                  },
                  "PasswordMustMeetComplexityRequirements": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Enforce password history;ExpectedValue",
                            "value": "[parameters('EnforcePasswordHistory')]"
                          },
                          {
                            "name": "Maximum password age;ExpectedValue",
                            "value": "[parameters('MaximumPasswordAge')]"
                          },
                          {
                            "name": "Minimum password age;ExpectedValue",
                            "value": "[parameters('MinimumPasswordAge')]"
                          },
                          {
                            "name": "Minimum password length;ExpectedValue",
                            "value": "[parameters('MinimumPasswordLength')]"
                          },
                          {
                            "name": "Password must meet complexity requirements;ExpectedValue",
                            "value": "[parameters('PasswordMustMeetComplexityRequirements')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Enforce password history;ExpectedValue",
                            "value": "[parameters('EnforcePasswordHistory')]"
                          },
                          {
                            "name": "Maximum password age;ExpectedValue",
                            "value": "[parameters('MaximumPasswordAge')]"
                          },
                          {
                            "name": "Minimum password age;ExpectedValue",
                            "value": "[parameters('MinimumPasswordAge')]"
                          },
                          {
                            "name": "Minimum password length;ExpectedValue",
                            "value": "[parameters('MinimumPasswordLength')]"
                          },
                          {
                            "name": "Password must meet complexity requirements;ExpectedValue",
                            "value": "[parameters('PasswordMustMeetComplexityRequirements')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e3d95ab7-f47a-49d8-a347-784177b6c94c"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "AuditCredentialValidation": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Credential Validation",
          "description": "Specifies whether audit events are generated when credentials are submitted for a user account logon request.  This setting is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success and Failure"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesAccountLogon",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Audit Credential Validation;ExpectedValue', '=', parameters('AuditCredentialValidation')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SystemAuditPoliciesAccountLogon"
                },
                "AuditCredentialValidation": {
                  "value": "[parameters('AuditCredentialValidation')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "AuditCredentialValidation": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Audit Credential Validation;ExpectedValue",
                            "value": "[parameters('AuditCredentialValidation')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Audit Credential Validation;ExpectedValue",
                            "value": "[parameters('AuditCredentialValidation')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c1e289c0-ffad-475d-a924-adc058765d65"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesAccountManagement",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SystemAuditPoliciesAccountManagement"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0a9991e6-21be-49f9-8916-a06d934bcf29"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "AuditProcessTermination": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Process Termination",
          "description": "Specifies whether audit events are generated when a process has exited. Recommended for monitoring termination of critical processes."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesDetailedTracking",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Audit Process Termination;ExpectedValue', '=', parameters('AuditProcessTermination')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SystemAuditPoliciesDetailedTracking"
                },
                "AuditProcessTermination": {
                  "value": "[parameters('AuditProcessTermination')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "AuditProcessTermination": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Audit Process Termination;ExpectedValue",
                            "value": "[parameters('AuditProcessTermination')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Audit Process Termination;ExpectedValue",
                            "value": "[parameters('AuditProcessTermination')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "42a07bbf-ffcf-459a-b4b1-30ecd118a505"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "AuditGroupMembership": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Group Membership",
          "description": "Specifies whether audit events are generated when group memberships are enumerated on the client computer."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesLogonLogoff",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Audit Group Membership;ExpectedValue', '=', parameters('AuditGroupMembership')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SystemAuditPoliciesLogonLogoff"
                },
                "AuditGroupMembership": {
                  "value": "[parameters('AuditGroupMembership')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "AuditGroupMembership": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Audit Group Membership;ExpectedValue",
                            "value": "[parameters('AuditGroupMembership')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Audit Group Membership;ExpectedValue",
                            "value": "[parameters('AuditGroupMembership')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c04255ee-1b9f-42c1-abaa-bf1553f79930"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "AuditDetailedFileShare": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Detailed File Share",
          "description": "If this policy setting is enabled, access to all shared files and folders on the system is audited. Auditing for Success can lead to very high volumes of events."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditFileShare": {
        "type": "String",
        "metadata": {
          "displayName": "Audit File Share",
          "description": "Specifies whether to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks. Event volumes can be high on DCs and File Servers."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditFileSystem": {
        "type": "String",
        "metadata": {
          "displayName": "Audit File System",
          "description": "Specifies whether audit events are generated when users attempt to access file system objects. Audit events are generated only for objects that have configured system access control lists (SACLs)."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesObjectAccess",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Audit Detailed File Share;ExpectedValue', '=', parameters('AuditDetailedFileShare'), ',', 'Audit File Share;ExpectedValue', '=', parameters('AuditFileShare'), ',', 'Audit File System;ExpectedValue', '=', parameters('AuditFileSystem')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SystemAuditPoliciesObjectAccess"
                },
                "AuditDetailedFileShare": {
                  "value": "[parameters('AuditDetailedFileShare')]"
                },
                "AuditFileShare": {
                  "value": "[parameters('AuditFileShare')]"
                },
                "AuditFileSystem": {
                  "value": "[parameters('AuditFileSystem')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "AuditDetailedFileShare": {
                    "type": "string"
                  },
                  "AuditFileShare": {
                    "type": "string"
                  },
                  "AuditFileSystem": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Audit Detailed File Share;ExpectedValue",
                            "value": "[parameters('AuditDetailedFileShare')]"
                          },
                          {
                            "name": "Audit File Share;ExpectedValue",
                            "value": "[parameters('AuditFileShare')]"
                          },
                          {
                            "name": "Audit File System;ExpectedValue",
                            "value": "[parameters('AuditFileSystem')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Audit Detailed File Share;ExpectedValue",
                            "value": "[parameters('AuditDetailedFileShare')]"
                          },
                          {
                            "name": "Audit File Share;ExpectedValue",
                            "value": "[parameters('AuditFileShare')]"
                          },
                          {
                            "name": "Audit File System;ExpectedValue",
                            "value": "[parameters('AuditFileSystem')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8e170edb-e0f5-497a-bb36-48b3280cec6a"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "AuditAuthenticationPolicyChange": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Authentication Policy Change",
          "description": "Specifies whether audit events are generated when changes are made to authentication policy. This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success"
      },
      "AuditAuthorizationPolicyChange": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Authorization Policy Change",
          "description": "Specifies whether audit events are generated for assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesPolicyChange",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Audit Authentication Policy Change;ExpectedValue', '=', parameters('AuditAuthenticationPolicyChange'), ',', 'Audit Authorization Policy Change;ExpectedValue', '=', parameters('AuditAuthorizationPolicyChange')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SystemAuditPoliciesPolicyChange"
                },
                "AuditAuthenticationPolicyChange": {
                  "value": "[parameters('AuditAuthenticationPolicyChange')]"
                },
                "AuditAuthorizationPolicyChange": {
                  "value": "[parameters('AuditAuthorizationPolicyChange')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "AuditAuthenticationPolicyChange": {
                    "type": "string"
                  },
                  "AuditAuthorizationPolicyChange": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Audit Authentication Policy Change;ExpectedValue",
                            "value": "[parameters('AuditAuthenticationPolicyChange')]"
                          },
                          {
                            "name": "Audit Authorization Policy Change;ExpectedValue",
                            "value": "[parameters('AuditAuthorizationPolicyChange')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Audit Authentication Policy Change;ExpectedValue",
                            "value": "[parameters('AuditAuthenticationPolicyChange')]"
                          },
                          {
                            "name": "Audit Authorization Policy Change;ExpectedValue",
                            "value": "[parameters('AuditAuthorizationPolicyChange')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "97b595c8-fd10-400e-8543-28e2b9138b13"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesPrivilegeUse",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SystemAuditPoliciesPrivilegeUse"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ce2370f6-0ac5-4d85-8ab4-10721cc640b0"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "AuditOtherSystemEvents": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Other System Events",
          "description": "Specifies whether audit events are generated for Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesSystem",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Audit Other System Events;ExpectedValue', '=', parameters('AuditOtherSystemEvents')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_SystemAuditPoliciesSystem"
                },
                "AuditOtherSystemEvents": {
                  "value": "[parameters('AuditOtherSystemEvents')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "AuditOtherSystemEvents": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Audit Other System Events;ExpectedValue",
                            "value": "[parameters('AuditOtherSystemEvents')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Audit Other System Events;ExpectedValue",
                            "value": "[parameters('AuditOtherSystemEvents')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f8b0158d-4766-490f-bea0-259e52dba473"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "UsersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may access this computer from the network",
          "description": "Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."
        },
        "defaultValue": "Administrators, Authenticated Users"
      },
      "UsersOrGroupsThatMayLogOnLocally": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may log on locally",
          "description": "Specifies which users or groups can interactively log on to the computer. Users who attempt to log on via Remote Desktop Connection or IIS also require this user right."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may log on through Remote Desktop Services",
          "description": "Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."
        },
        "defaultValue": "Administrators, Remote Desktop Users"
      },
      "UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied access to this computer from the network",
          "description": "Specifies which users or groups are explicitly prohibited from connecting to the computer across the network."
        },
        "defaultValue": "Guests"
      },
      "UsersOrGroupsThatMayManageAuditingAndSecurityLog": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may manage auditing and security log",
          "description": "Specifies users and groups permitted to change the auditing options for files and directories and clear the Security log."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayBackUpFilesAndDirectories": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may back up files and directories",
          "description": "Specifies users and groups allowed to circumvent file and directory permissions to back up the system."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "UsersOrGroupsThatMayChangeTheSystemTime": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may change the system time",
          "description": "Specifies which users and groups are permitted to change the time and date on the internal clock of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "UsersOrGroupsThatMayChangeTheTimeZone": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may change the time zone",
          "description": "Specifies which users and groups are permitted to change the time zone of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "UsersOrGroupsThatMayCreateATokenObject": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may create a token object",
          "description": "Specifies which users and groups are permitted to create an access token, which may provide elevated rights to access sensitive data."
        },
        "defaultValue": "No One"
      },
      "UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied logging on as a batch job",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer as a batch job (i.e. scheduled task)."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLoggingOnAsAService": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied logging on as a service",
          "description": "Specifies which service accounts are explicitly not permitted to register a process as a service."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLocalLogon": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied local logon",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied log on through Remote Desktop Services",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer via Terminal Services/Remote Desktop Client."
        },
        "defaultValue": "Guests"
      },
      "UserAndGroupsThatMayForceShutdownFromARemoteSystem": {
        "type": "String",
        "metadata": {
          "displayName": "User and groups that may force shutdown from a remote system",
          "description": "Specifies which users and groups are permitted to shut down the computer from a remote location on the network."
        },
        "defaultValue": "Administrators"
      },
      "UsersAndGroupsThatMayRestoreFilesAndDirectories": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that may restore files and directories",
          "description": "Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "UsersAndGroupsThatMayShutDownTheSystem": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that may shut down the system",
          "description": "Specifies which users and groups who are logged on locally to the computers in your environment are permitted to shut down the operating system with the Shut Down command."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may take ownership of files or other objects",
          "description": "Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user."
        },
        "defaultValue": "Administrators"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_UserRightsAssignment",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Access this computer from the network;ExpectedValue', '=', parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'), ',', 'Allow log on locally;ExpectedValue', '=', parameters('UsersOrGroupsThatMayLogOnLocally'), ',', 'Allow log on through Remote Desktop Services;ExpectedValue', '=', parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'), ',', 'Deny access to this computer from the network;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'), ',', 'Manage auditing and security log;ExpectedValue', '=', parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog'), ',', 'Back up files and directories;ExpectedValue', '=', parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories'), ',', 'Change the system time;ExpectedValue', '=', parameters('UsersOrGroupsThatMayChangeTheSystemTime'), ',', 'Change the time zone;ExpectedValue', '=', parameters('UsersOrGroupsThatMayChangeTheTimeZone'), ',', 'Create a token object;ExpectedValue', '=', parameters('UsersOrGroupsThatMayCreateATokenObject'), ',', 'Deny log on as a batch job;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'), ',', 'Deny log on as a service;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService'), ',', 'Deny log on locally;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLocalLogon'), ',', 'Deny log on through Remote Desktop Services;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'), ',', 'Force shutdown from a remote system;ExpectedValue', '=', parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem'), ',', 'Restore files and directories;ExpectedValue', '=', parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories'), ',', 'Shut down the system;ExpectedValue', '=', parameters('UsersAndGroupsThatMayShutDownTheSystem'), ',', 'Take ownership of files or other objects;ExpectedValue', '=', parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_UserRightsAssignment"
                },
                "UsersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
                  "value": "[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]"
                },
                "UsersOrGroupsThatMayLogOnLocally": {
                  "value": "[parameters('UsersOrGroupsThatMayLogOnLocally')]"
                },
                "UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
                  "value": "[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]"
                },
                "UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
                  "value": "[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]"
                },
                "UsersOrGroupsThatMayManageAuditingAndSecurityLog": {
                  "value": "[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]"
                },
                "UsersOrGroupsThatMayBackUpFilesAndDirectories": {
                  "value": "[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]"
                },
                "UsersOrGroupsThatMayChangeTheSystemTime": {
                  "value": "[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]"
                },
                "UsersOrGroupsThatMayChangeTheTimeZone": {
                  "value": "[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]"
                },
                "UsersOrGroupsThatMayCreateATokenObject": {
                  "value": "[parameters('UsersOrGroupsThatMayCreateATokenObject')]"
                },
                "UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
                  "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]"
                },
                "UsersAndGroupsThatAreDeniedLoggingOnAsAService": {
                  "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]"
                },
                "UsersAndGroupsThatAreDeniedLocalLogon": {
                  "value": "[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]"
                },
                "UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
                  "value": "[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]"
                },
                "UserAndGroupsThatMayForceShutdownFromARemoteSystem": {
                  "value": "[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]"
                },
                "UsersAndGroupsThatMayRestoreFilesAndDirectories": {
                  "value": "[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]"
                },
                "UsersAndGroupsThatMayShutDownTheSystem": {
                  "value": "[parameters('UsersAndGroupsThatMayShutDownTheSystem')]"
                },
                "UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
                  "value": "[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "UsersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
                    "type": "string"
                  },
                  "UsersOrGroupsThatMayLogOnLocally": {
                    "type": "string"
                  },
                  "UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
                    "type": "string"
                  },
                  "UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
                    "type": "string"
                  },
                  "UsersOrGroupsThatMayManageAuditingAndSecurityLog": {
                    "type": "string"
                  },
                  "UsersOrGroupsThatMayBackUpFilesAndDirectories": {
                    "type": "string"
                  },
                  "UsersOrGroupsThatMayChangeTheSystemTime": {
                    "type": "string"
                  },
                  "UsersOrGroupsThatMayChangeTheTimeZone": {
                    "type": "string"
                  },
                  "UsersOrGroupsThatMayCreateATokenObject": {
                    "type": "string"
                  },
                  "UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
                    "type": "string"
                  },
                  "UsersAndGroupsThatAreDeniedLoggingOnAsAService": {
                    "type": "string"
                  },
                  "UsersAndGroupsThatAreDeniedLocalLogon": {
                    "type": "string"
                  },
                  "UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
                    "type": "string"
                  },
                  "UserAndGroupsThatMayForceShutdownFromARemoteSystem": {
                    "type": "string"
                  },
                  "UsersAndGroupsThatMayRestoreFilesAndDirectories": {
                    "type": "string"
                  },
                  "UsersAndGroupsThatMayShutDownTheSystem": {
                    "type": "string"
                  },
                  "UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Access this computer from the network;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]"
                          },
                          {
                            "name": "Allow log on locally;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayLogOnLocally')]"
                          },
                          {
                            "name": "Allow log on through Remote Desktop Services;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]"
                          },
                          {
                            "name": "Deny access to this computer from the network;ExpectedValue",
                            "value": "[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]"
                          },
                          {
                            "name": "Manage auditing and security log;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]"
                          },
                          {
                            "name": "Back up files and directories;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]"
                          },
                          {
                            "name": "Change the system time;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]"
                          },
                          {
                            "name": "Change the time zone;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]"
                          },
                          {
                            "name": "Create a token object;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayCreateATokenObject')]"
                          },
                          {
                            "name": "Deny log on as a batch job;ExpectedValue",
                            "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]"
                          },
                          {
                            "name": "Deny log on as a service;ExpectedValue",
                            "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]"
                          },
                          {
                            "name": "Deny log on locally;ExpectedValue",
                            "value": "[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]"
                          },
                          {
                            "name": "Deny log on through Remote Desktop Services;ExpectedValue",
                            "value": "[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]"
                          },
                          {
                            "name": "Force shutdown from a remote system;ExpectedValue",
                            "value": "[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]"
                          },
                          {
                            "name": "Restore files and directories;ExpectedValue",
                            "value": "[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]"
                          },
                          {
                            "name": "Shut down the system;ExpectedValue",
                            "value": "[parameters('UsersAndGroupsThatMayShutDownTheSystem')]"
                          },
                          {
                            "name": "Take ownership of files or other objects;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Access this computer from the network;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]"
                          },
                          {
                            "name": "Allow log on locally;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayLogOnLocally')]"
                          },
                          {
                            "name": "Allow log on through Remote Desktop Services;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]"
                          },
                          {
                            "name": "Deny access to this computer from the network;ExpectedValue",
                            "value": "[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]"
                          },
                          {
                            "name": "Manage auditing and security log;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]"
                          },
                          {
                            "name": "Back up files and directories;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]"
                          },
                          {
                            "name": "Change the system time;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]"
                          },
                          {
                            "name": "Change the time zone;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]"
                          },
                          {
                            "name": "Create a token object;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayCreateATokenObject')]"
                          },
                          {
                            "name": "Deny log on as a batch job;ExpectedValue",
                            "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]"
                          },
                          {
                            "name": "Deny log on as a service;ExpectedValue",
                            "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]"
                          },
                          {
                            "name": "Deny log on locally;ExpectedValue",
                            "value": "[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]"
                          },
                          {
                            "name": "Deny log on through Remote Desktop Services;ExpectedValue",
                            "value": "[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]"
                          },
                          {
                            "name": "Force shutdown from a remote system;ExpectedValue",
                            "value": "[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]"
                          },
                          {
                            "name": "Restore files and directories;ExpectedValue",
                            "value": "[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]"
                          },
                          {
                            "name": "Shut down the system;ExpectedValue",
                            "value": "[parameters('UsersAndGroupsThatMayShutDownTheSystem')]"
                          },
                          {
                            "name": "Take ownership of files or other objects;ExpectedValue",
                            "value": "[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "815dcc9f-6662-43f2-9a03-1b83e9876f24"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "SendFileSamplesWhenFurtherAnalysisIsRequired": {
        "type": "String",
        "metadata": {
          "displayName": "Send file samples when further analysis is required",
          "description": "Specifies whether and how Windows Defender will submit samples of suspected malware  to Microsoft for further analysis when opt-in for MAPS telemetry is set."
        },
        "defaultValue": "1"
      },
      "AllowIndexingOfEncryptedFiles": {
        "type": "String",
        "metadata": {
          "displayName": "Allow indexing of encrypted files",
          "description": "Specifies whether encrypted items are allowed to be indexed."
        },
        "defaultValue": "0"
      },
      "AllowTelemetry": {
        "type": "String",
        "metadata": {
          "displayName": "Allow Telemetry",
          "description": "Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and sensitive data is not sent."
        },
        "defaultValue": "2"
      },
      "AllowUnencryptedTraffic": {
        "type": "String",
        "metadata": {
          "displayName": "Allow unencrypted traffic",
          "description": "Specifies whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network."
        },
        "defaultValue": "0"
      },
      "AlwaysInstallWithElevatedPrivileges": {
        "type": "String",
        "metadata": {
          "displayName": "Always install with elevated privileges",
          "description": "Specifies whether Windows Installer should use system permissions when it installs any program on the system."
        },
        "defaultValue": "0"
      },
      "AlwaysPromptForPasswordUponConnection": {
        "type": "String",
        "metadata": {
          "displayName": "Always prompt for password upon connection",
          "description": "Specifies whether Terminal Services/Remote Desktop Connection always prompts the client computer for a password upon connection."
        },
        "defaultValue": "1"
      },
      "ApplicationSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "Application: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Application event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "AutomaticallySendMemoryDumpsForOSgeneratedErrorReports": {
        "type": "String",
        "metadata": {
          "displayName": "Automatically send memory dumps for OS-generated error reports",
          "description": "Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft automatically."
        },
        "defaultValue": "1"
      },
      "ConfigureDefaultConsent": {
        "type": "String",
        "metadata": {
          "displayName": "Configure Default consent",
          "description": "Specifies setting of the default consent handling for error reports sent to Microsoft."
        },
        "defaultValue": "4"
      },
      "ConfigureWindowsSmartScreen": {
        "type": "String",
        "metadata": {
          "displayName": "Configure Windows SmartScreen",
          "description": "Specifies how to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled."
        },
        "defaultValue": "1"
      },
      "DisallowDigestAuthentication": {
        "type": "String",
        "metadata": {
          "displayName": "Disallow Digest authentication",
          "description": "Specifies whether the Windows Remote Management (WinRM) client will not use Digest authentication."
        },
        "defaultValue": "0"
      },
      "DisallowWinRMFromStoringRunAsCredentials": {
        "type": "String",
        "metadata": {
          "displayName": "Disallow WinRM from storing RunAs credentials",
          "description": "Specifies whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins."
        },
        "defaultValue": "1"
      },
      "DoNotAllowPasswordsToBeSaved": {
        "type": "String",
        "metadata": {
          "displayName": "Do not allow passwords to be saved",
          "description": "Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords on a computer."
        },
        "defaultValue": "1"
      },
      "SecuritySpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "Security: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Security event log in kilobytes."
        },
        "defaultValue": "196608"
      },
      "SetClientConnectionEncryptionLevel": {
        "type": "String",
        "metadata": {
          "displayName": "Set client connection encryption level",
          "description": "Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption."
        },
        "defaultValue": "3"
      },
      "SetTheDefaultBehaviorForAutoRun": {
        "type": "String",
        "metadata": {
          "displayName": "Set the default behavior for AutoRun",
          "description": "Specifies the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines."
        },
        "defaultValue": "1"
      },
      "SetupSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "Setup: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Setup event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "SystemSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "System: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the System event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "TurnOffDataExecutionPreventionForExplorer": {
        "type": "String",
        "metadata": {
          "displayName": "Turn off Data Execution Prevention for Explorer",
          "description": "Specifies whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer."
        },
        "defaultValue": "0"
      },
      "SpecifyTheIntervalToCheckForDefinitionUpdates": {
        "type": "String",
        "metadata": {
          "displayName": "Specify the interval to check for definition updates",
          "description": "Specifies an interval at which to check for Windows Defender definition updates. The time value is represented as the number of hours between update checks."
        },
        "defaultValue": "8"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_WindowsComponents",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Send file samples when further analysis is required;ExpectedValue', '=', parameters('SendFileSamplesWhenFurtherAnalysisIsRequired'), ',', 'Allow indexing of encrypted files;ExpectedValue', '=', parameters('AllowIndexingOfEncryptedFiles'), ',', 'Allow Telemetry;ExpectedValue', '=', parameters('AllowTelemetry'), ',', 'Allow unencrypted traffic;ExpectedValue', '=', parameters('AllowUnencryptedTraffic'), ',', 'Always install with elevated privileges;ExpectedValue', '=', parameters('AlwaysInstallWithElevatedPrivileges'), ',', 'Always prompt for password upon connection;ExpectedValue', '=', parameters('AlwaysPromptForPasswordUponConnection'), ',', 'Application: Specify the maximum log file size (KB);ExpectedValue', '=', parameters('ApplicationSpecifyTheMaximumLogFileSizeKB'), ',', 'Automatically send memory dumps for OS-generated error reports;ExpectedValue', '=', parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'), ',', 'Configure Default consent;ExpectedValue', '=', parameters('ConfigureDefaultConsent'), ',', 'Configure Windows SmartScreen;ExpectedValue', '=', parameters('ConfigureWindowsSmartScreen'), ',', 'Disallow Digest authentication;ExpectedValue', '=', parameters('DisallowDigestAuthentication'), ',', 'Disallow WinRM from storing RunAs credentials;ExpectedValue', '=', parameters('DisallowWinRMFromStoringRunAsCredentials'), ',', 'Do not allow passwords to be saved;ExpectedValue', '=', parameters('DoNotAllowPasswordsToBeSaved'), ',', 'Security: Specify the maximum log file size (KB);ExpectedValue', '=', parameters('SecuritySpecifyTheMaximumLogFileSizeKB'), ',', 'Set client connection encryption level;ExpectedValue', '=', parameters('SetClientConnectionEncryptionLevel'), ',', 'Set the default behavior for AutoRun;ExpectedValue', '=', parameters('SetTheDefaultBehaviorForAutoRun'), ',', 'Setup: Specify the maximum log file size (KB);ExpectedValue', '=', parameters('SetupSpecifyTheMaximumLogFileSizeKB'), ',', 'System: Specify the maximum log file size (KB);ExpectedValue', '=', parameters('SystemSpecifyTheMaximumLogFileSizeKB'), ',', 'Turn off Data Execution Prevention for Explorer;ExpectedValue', '=', parameters('TurnOffDataExecutionPreventionForExplorer'), ',', 'Specify the interval to check for definition updates;ExpectedValue', '=', parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_WindowsComponents"
                },
                "SendFileSamplesWhenFurtherAnalysisIsRequired": {
                  "value": "[parameters('SendFileSamplesWhenFurtherAnalysisIsRequired')]"
                },
                "AllowIndexingOfEncryptedFiles": {
                  "value": "[parameters('AllowIndexingOfEncryptedFiles')]"
                },
                "AllowTelemetry": {
                  "value": "[parameters('AllowTelemetry')]"
                },
                "AllowUnencryptedTraffic": {
                  "value": "[parameters('AllowUnencryptedTraffic')]"
                },
                "AlwaysInstallWithElevatedPrivileges": {
                  "value": "[parameters('AlwaysInstallWithElevatedPrivileges')]"
                },
                "AlwaysPromptForPasswordUponConnection": {
                  "value": "[parameters('AlwaysPromptForPasswordUponConnection')]"
                },
                "ApplicationSpecifyTheMaximumLogFileSizeKB": {
                  "value": "[parameters('ApplicationSpecifyTheMaximumLogFileSizeKB')]"
                },
                "AutomaticallySendMemoryDumpsForOSgeneratedErrorReports": {
                  "value": "[parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports')]"
                },
                "ConfigureDefaultConsent": {
                  "value": "[parameters('ConfigureDefaultConsent')]"
                },
                "ConfigureWindowsSmartScreen": {
                  "value": "[parameters('ConfigureWindowsSmartScreen')]"
                },
                "DisallowDigestAuthentication": {
                  "value": "[parameters('DisallowDigestAuthentication')]"
                },
                "DisallowWinRMFromStoringRunAsCredentials": {
                  "value": "[parameters('DisallowWinRMFromStoringRunAsCredentials')]"
                },
                "DoNotAllowPasswordsToBeSaved": {
                  "value": "[parameters('DoNotAllowPasswordsToBeSaved')]"
                },
                "SecuritySpecifyTheMaximumLogFileSizeKB": {
                  "value": "[parameters('SecuritySpecifyTheMaximumLogFileSizeKB')]"
                },
                "SetClientConnectionEncryptionLevel": {
                  "value": "[parameters('SetClientConnectionEncryptionLevel')]"
                },
                "SetTheDefaultBehaviorForAutoRun": {
                  "value": "[parameters('SetTheDefaultBehaviorForAutoRun')]"
                },
                "SetupSpecifyTheMaximumLogFileSizeKB": {
                  "value": "[parameters('SetupSpecifyTheMaximumLogFileSizeKB')]"
                },
                "SystemSpecifyTheMaximumLogFileSizeKB": {
                  "value": "[parameters('SystemSpecifyTheMaximumLogFileSizeKB')]"
                },
                "TurnOffDataExecutionPreventionForExplorer": {
                  "value": "[parameters('TurnOffDataExecutionPreventionForExplorer')]"
                },
                "SpecifyTheIntervalToCheckForDefinitionUpdates": {
                  "value": "[parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "SendFileSamplesWhenFurtherAnalysisIsRequired": {
                    "type": "string"
                  },
                  "AllowIndexingOfEncryptedFiles": {
                    "type": "string"
                  },
                  "AllowTelemetry": {
                    "type": "string"
                  },
                  "AllowUnencryptedTraffic": {
                    "type": "string"
                  },
                  "AlwaysInstallWithElevatedPrivileges": {
                    "type": "string"
                  },
                  "AlwaysPromptForPasswordUponConnection": {
                    "type": "string"
                  },
                  "ApplicationSpecifyTheMaximumLogFileSizeKB": {
                    "type": "string"
                  },
                  "AutomaticallySendMemoryDumpsForOSgeneratedErrorReports": {
                    "type": "string"
                  },
                  "ConfigureDefaultConsent": {
                    "type": "string"
                  },
                  "ConfigureWindowsSmartScreen": {
                    "type": "string"
                  },
                  "DisallowDigestAuthentication": {
                    "type": "string"
                  },
                  "DisallowWinRMFromStoringRunAsCredentials": {
                    "type": "string"
                  },
                  "DoNotAllowPasswordsToBeSaved": {
                    "type": "string"
                  },
                  "SecuritySpecifyTheMaximumLogFileSizeKB": {
                    "type": "string"
                  },
                  "SetClientConnectionEncryptionLevel": {
                    "type": "string"
                  },
                  "SetTheDefaultBehaviorForAutoRun": {
                    "type": "string"
                  },
                  "SetupSpecifyTheMaximumLogFileSizeKB": {
                    "type": "string"
                  },
                  "SystemSpecifyTheMaximumLogFileSizeKB": {
                    "type": "string"
                  },
                  "TurnOffDataExecutionPreventionForExplorer": {
                    "type": "string"
                  },
                  "SpecifyTheIntervalToCheckForDefinitionUpdates": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Send file samples when further analysis is required;ExpectedValue",
                            "value": "[parameters('SendFileSamplesWhenFurtherAnalysisIsRequired')]"
                          },
                          {
                            "name": "Allow indexing of encrypted files;ExpectedValue",
                            "value": "[parameters('AllowIndexingOfEncryptedFiles')]"
                          },
                          {
                            "name": "Allow Telemetry;ExpectedValue",
                            "value": "[parameters('AllowTelemetry')]"
                          },
                          {
                            "name": "Allow unencrypted traffic;ExpectedValue",
                            "value": "[parameters('AllowUnencryptedTraffic')]"
                          },
                          {
                            "name": "Always install with elevated privileges;ExpectedValue",
                            "value": "[parameters('AlwaysInstallWithElevatedPrivileges')]"
                          },
                          {
                            "name": "Always prompt for password upon connection;ExpectedValue",
                            "value": "[parameters('AlwaysPromptForPasswordUponConnection')]"
                          },
                          {
                            "name": "Application: Specify the maximum log file size (KB);ExpectedValue",
                            "value": "[parameters('ApplicationSpecifyTheMaximumLogFileSizeKB')]"
                          },
                          {
                            "name": "Automatically send memory dumps for OS-generated error reports;ExpectedValue",
                            "value": "[parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports')]"
                          },
                          {
                            "name": "Configure Default consent;ExpectedValue",
                            "value": "[parameters('ConfigureDefaultConsent')]"
                          },
                          {
                            "name": "Configure Windows SmartScreen;ExpectedValue",
                            "value": "[parameters('ConfigureWindowsSmartScreen')]"
                          },
                          {
                            "name": "Disallow Digest authentication;ExpectedValue",
                            "value": "[parameters('DisallowDigestAuthentication')]"
                          },
                          {
                            "name": "Disallow WinRM from storing RunAs credentials;ExpectedValue",
                            "value": "[parameters('DisallowWinRMFromStoringRunAsCredentials')]"
                          },
                          {
                            "name": "Do not allow passwords to be saved;ExpectedValue",
                            "value": "[parameters('DoNotAllowPasswordsToBeSaved')]"
                          },
                          {
                            "name": "Security: Specify the maximum log file size (KB);ExpectedValue",
                            "value": "[parameters('SecuritySpecifyTheMaximumLogFileSizeKB')]"
                          },
                          {
                            "name": "Set client connection encryption level;ExpectedValue",
                            "value": "[parameters('SetClientConnectionEncryptionLevel')]"
                          },
                          {
                            "name": "Set the default behavior for AutoRun;ExpectedValue",
                            "value": "[parameters('SetTheDefaultBehaviorForAutoRun')]"
                          },
                          {
                            "name": "Setup: Specify the maximum log file size (KB);ExpectedValue",
                            "value": "[parameters('SetupSpecifyTheMaximumLogFileSizeKB')]"
                          },
                          {
                            "name": "System: Specify the maximum log file size (KB);ExpectedValue",
                            "value": "[parameters('SystemSpecifyTheMaximumLogFileSizeKB')]"
                          },
                          {
                            "name": "Turn off Data Execution Prevention for Explorer;ExpectedValue",
                            "value": "[parameters('TurnOffDataExecutionPreventionForExplorer')]"
                          },
                          {
                            "name": "Specify the interval to check for definition updates;ExpectedValue",
                            "value": "[parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Send file samples when further analysis is required;ExpectedValue",
                            "value": "[parameters('SendFileSamplesWhenFurtherAnalysisIsRequired')]"
                          },
                          {
                            "name": "Allow indexing of encrypted files;ExpectedValue",
                            "value": "[parameters('AllowIndexingOfEncryptedFiles')]"
                          },
                          {
                            "name": "Allow Telemetry;ExpectedValue",
                            "value": "[parameters('AllowTelemetry')]"
                          },
                          {
                            "name": "Allow unencrypted traffic;ExpectedValue",
                            "value": "[parameters('AllowUnencryptedTraffic')]"
                          },
                          {
                            "name": "Always install with elevated privileges;ExpectedValue",
                            "value": "[parameters('AlwaysInstallWithElevatedPrivileges')]"
                          },
                          {
                            "name": "Always prompt for password upon connection;ExpectedValue",
                            "value": "[parameters('AlwaysPromptForPasswordUponConnection')]"
                          },
                          {
                            "name": "Application: Specify the maximum log file size (KB);ExpectedValue",
                            "value": "[parameters('ApplicationSpecifyTheMaximumLogFileSizeKB')]"
                          },
                          {
                            "name": "Automatically send memory dumps for OS-generated error reports;ExpectedValue",
                            "value": "[parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports')]"
                          },
                          {
                            "name": "Configure Default consent;ExpectedValue",
                            "value": "[parameters('ConfigureDefaultConsent')]"
                          },
                          {
                            "name": "Configure Windows SmartScreen;ExpectedValue",
                            "value": "[parameters('ConfigureWindowsSmartScreen')]"
                          },
                          {
                            "name": "Disallow Digest authentication;ExpectedValue",
                            "value": "[parameters('DisallowDigestAuthentication')]"
                          },
                          {
                            "name": "Disallow WinRM from storing RunAs credentials;ExpectedValue",
                            "value": "[parameters('DisallowWinRMFromStoringRunAsCredentials')]"
                          },
                          {
                            "name": "Do not allow passwords to be saved;ExpectedValue",
                            "value": "[parameters('DoNotAllowPasswordsToBeSaved')]"
                          },
                          {
                            "name": "Security: Specify the maximum log file size (KB);ExpectedValue",
                            "value": "[parameters('SecuritySpecifyTheMaximumLogFileSizeKB')]"
                          },
                          {
                            "name": "Set client connection encryption level;ExpectedValue",
                            "value": "[parameters('SetClientConnectionEncryptionLevel')]"
                          },
                          {
                            "name": "Set the default behavior for AutoRun;ExpectedValue",
                            "value": "[parameters('SetTheDefaultBehaviorForAutoRun')]"
                          },
                          {
                            "name": "Setup: Specify the maximum log file size (KB);ExpectedValue",
                            "value": "[parameters('SetupSpecifyTheMaximumLogFileSizeKB')]"
                          },
                          {
                            "name": "System: Specify the maximum log file size (KB);ExpectedValue",
                            "value": "[parameters('SystemSpecifyTheMaximumLogFileSizeKB')]"
                          },
                          {
                            "name": "Turn off Data Execution Prevention for Explorer;ExpectedValue",
                            "value": "[parameters('TurnOffDataExecutionPreventionForExplorer')]"
                          },
                          {
                            "name": "Specify the interval to check for definition updates;ExpectedValue",
                            "value": "[parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7040a231-fb65-4412-8c0a-b365f4866c24"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "WindowsFirewallDomainUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Domain profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallDomainApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Private profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Public profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Domain: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Domain profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Private: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Private profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Public: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Public profile."
        },
        "defaultValue": "1"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_WindowsFirewallProperties",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('Windows Firewall: Domain: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallDomainUseProfileSettings'), ',', 'Windows Firewall: Domain: Outbound connections;ExpectedValue', '=', parameters('WindowsFirewallDomainBehaviorForOutboundConnections'), ',', 'Windows Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue', '=', parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules'), ',', 'Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue', '=', parameters('WindowsFirewallDomainApplyLocalFirewallRules'), ',', 'Windows Firewall: Domain: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallDomainDisplayNotifications'), ',', 'Windows Firewall: Private: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPrivateUseProfileSettings'), ',', 'Windows Firewall: Private: Outbound connections;ExpectedValue', '=', parameters('WindowsFirewallPrivateBehaviorForOutboundConnections'), ',', 'Windows Firewall: Private: Settings: Apply local connection security rules;ExpectedValue', '=', parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules'), ',', 'Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue', '=', parameters('WindowsFirewallPrivateApplyLocalFirewallRules'), ',', 'Windows Firewall: Private: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPrivateDisplayNotifications'), ',', 'Windows Firewall: Public: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPublicUseProfileSettings'), ',', 'Windows Firewall: Public: Outbound connections;ExpectedValue', '=', parameters('WindowsFirewallPublicBehaviorForOutboundConnections'), ',', 'Windows Firewall: Public: Settings: Apply local connection security rules;ExpectedValue', '=', parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules'), ',', 'Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue', '=', parameters('WindowsFirewallPublicApplyLocalFirewallRules'), ',', 'Windows Firewall: Public: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPublicDisplayNotifications'), ',', 'Windows Firewall: Domain: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallDomainAllowUnicastResponse'), ',', 'Windows Firewall: Private: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallPrivateAllowUnicastResponse'), ',', 'Windows Firewall: Public: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallPublicAllowUnicastResponse')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AzureBaseline_WindowsFirewallProperties"
                },
                "WindowsFirewallDomainUseProfileSettings": {
                  "value": "[parameters('WindowsFirewallDomainUseProfileSettings')]"
                },
                "WindowsFirewallDomainBehaviorForOutboundConnections": {
                  "value": "[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]"
                },
                "WindowsFirewallDomainApplyLocalConnectionSecurityRules": {
                  "value": "[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]"
                },
                "WindowsFirewallDomainApplyLocalFirewallRules": {
                  "value": "[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]"
                },
                "WindowsFirewallDomainDisplayNotifications": {
                  "value": "[parameters('WindowsFirewallDomainDisplayNotifications')]"
                },
                "WindowsFirewallPrivateUseProfileSettings": {
                  "value": "[parameters('WindowsFirewallPrivateUseProfileSettings')]"
                },
                "WindowsFirewallPrivateBehaviorForOutboundConnections": {
                  "value": "[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]"
                },
                "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": {
                  "value": "[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]"
                },
                "WindowsFirewallPrivateApplyLocalFirewallRules": {
                  "value": "[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]"
                },
                "WindowsFirewallPrivateDisplayNotifications": {
                  "value": "[parameters('WindowsFirewallPrivateDisplayNotifications')]"
                },
                "WindowsFirewallPublicUseProfileSettings": {
                  "value": "[parameters('WindowsFirewallPublicUseProfileSettings')]"
                },
                "WindowsFirewallPublicBehaviorForOutboundConnections": {
                  "value": "[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]"
                },
                "WindowsFirewallPublicApplyLocalConnectionSecurityRules": {
                  "value": "[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]"
                },
                "WindowsFirewallPublicApplyLocalFirewallRules": {
                  "value": "[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]"
                },
                "WindowsFirewallPublicDisplayNotifications": {
                  "value": "[parameters('WindowsFirewallPublicDisplayNotifications')]"
                },
                "WindowsFirewallDomainAllowUnicastResponse": {
                  "value": "[parameters('WindowsFirewallDomainAllowUnicastResponse')]"
                },
                "WindowsFirewallPrivateAllowUnicastResponse": {
                  "value": "[parameters('WindowsFirewallPrivateAllowUnicastResponse')]"
                },
                "WindowsFirewallPublicAllowUnicastResponse": {
                  "value": "[parameters('WindowsFirewallPublicAllowUnicastResponse')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "WindowsFirewallDomainUseProfileSettings": {
                    "type": "string"
                  },
                  "WindowsFirewallDomainBehaviorForOutboundConnections": {
                    "type": "string"
                  },
                  "WindowsFirewallDomainApplyLocalConnectionSecurityRules": {
                    "type": "string"
                  },
                  "WindowsFirewallDomainApplyLocalFirewallRules": {
                    "type": "string"
                  },
                  "WindowsFirewallDomainDisplayNotifications": {
                    "type": "string"
                  },
                  "WindowsFirewallPrivateUseProfileSettings": {
                    "type": "string"
                  },
                  "WindowsFirewallPrivateBehaviorForOutboundConnections": {
                    "type": "string"
                  },
                  "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": {
                    "type": "string"
                  },
                  "WindowsFirewallPrivateApplyLocalFirewallRules": {
                    "type": "string"
                  },
                  "WindowsFirewallPrivateDisplayNotifications": {
                    "type": "string"
                  },
                  "WindowsFirewallPublicUseProfileSettings": {
                    "type": "string"
                  },
                  "WindowsFirewallPublicBehaviorForOutboundConnections": {
                    "type": "string"
                  },
                  "WindowsFirewallPublicApplyLocalConnectionSecurityRules": {
                    "type": "string"
                  },
                  "WindowsFirewallPublicApplyLocalFirewallRules": {
                    "type": "string"
                  },
                  "WindowsFirewallPublicDisplayNotifications": {
                    "type": "string"
                  },
                  "WindowsFirewallDomainAllowUnicastResponse": {
                    "type": "string"
                  },
                  "WindowsFirewallPrivateAllowUnicastResponse": {
                    "type": "string"
                  },
                  "WindowsFirewallPublicAllowUnicastResponse": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Windows Firewall: Domain: Firewall state;ExpectedValue",
                            "value": "[parameters('WindowsFirewallDomainUseProfileSettings')]"
                          },
                          {
                            "name": "Windows Firewall: Domain: Outbound connections;ExpectedValue",
                            "value": "[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]"
                          },
                          {
                            "name": "Windows Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue",
                            "value": "[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]"
                          },
                          {
                            "name": "Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue",
                            "value": "[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]"
                          },
                          {
                            "name": "Windows Firewall: Domain: Settings: Display a notification;ExpectedValue",
                            "value": "[parameters('WindowsFirewallDomainDisplayNotifications')]"
                          },
                          {
                            "name": "Windows Firewall: Private: Firewall state;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPrivateUseProfileSettings')]"
                          },
                          {
                            "name": "Windows Firewall: Private: Outbound connections;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]"
                          },
                          {
                            "name": "Windows Firewall: Private: Settings: Apply local connection security rules;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]"
                          },
                          {
                            "name": "Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]"
                          },
                          {
                            "name": "Windows Firewall: Private: Settings: Display a notification;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPrivateDisplayNotifications')]"
                          },
                          {
                            "name": "Windows Firewall: Public: Firewall state;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPublicUseProfileSettings')]"
                          },
                          {
                            "name": "Windows Firewall: Public: Outbound connections;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]"
                          },
                          {
                            "name": "Windows Firewall: Public: Settings: Apply local connection security rules;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]"
                          },
                          {
                            "name": "Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]"
                          },
                          {
                            "name": "Windows Firewall: Public: Settings: Display a notification;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPublicDisplayNotifications')]"
                          },
                          {
                            "name": "Windows Firewall: Domain: Allow unicast response;ExpectedValue",
                            "value": "[parameters('WindowsFirewallDomainAllowUnicastResponse')]"
                          },
                          {
                            "name": "Windows Firewall: Private: Allow unicast response;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPrivateAllowUnicastResponse')]"
                          },
                          {
                            "name": "Windows Firewall: Public: Allow unicast response;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPublicAllowUnicastResponse')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "Windows Firewall: Domain: Firewall state;ExpectedValue",
                            "value": "[parameters('WindowsFirewallDomainUseProfileSettings')]"
                          },
                          {
                            "name": "Windows Firewall: Domain: Outbound connections;ExpectedValue",
                            "value": "[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]"
                          },
                          {
                            "name": "Windows Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue",
                            "value": "[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]"
                          },
                          {
                            "name": "Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue",
                            "value": "[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]"
                          },
                          {
                            "name": "Windows Firewall: Domain: Settings: Display a notification;ExpectedValue",
                            "value": "[parameters('WindowsFirewallDomainDisplayNotifications')]"
                          },
                          {
                            "name": "Windows Firewall: Private: Firewall state;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPrivateUseProfileSettings')]"
                          },
                          {
                            "name": "Windows Firewall: Private: Outbound connections;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]"
                          },
                          {
                            "name": "Windows Firewall: Private: Settings: Apply local connection security rules;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]"
                          },
                          {
                            "name": "Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]"
                          },
                          {
                            "name": "Windows Firewall: Private: Settings: Display a notification;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPrivateDisplayNotifications')]"
                          },
                          {
                            "name": "Windows Firewall: Public: Firewall state;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPublicUseProfileSettings')]"
                          },
                          {
                            "name": "Windows Firewall: Public: Outbound connections;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]"
                          },
                          {
                            "name": "Windows Firewall: Public: Settings: Apply local connection security rules;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]"
                          },
                          {
                            "name": "Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]"
                          },
                          {
                            "name": "Windows Firewall: Public: Settings: Display a notification;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPublicDisplayNotifications')]"
                          },
                          {
                            "name": "Windows Firewall: Domain: Allow unicast response;ExpectedValue",
                            "value": "[parameters('WindowsFirewallDomainAllowUnicastResponse')]"
                          },
                          {
                            "name": "Windows Firewall: Private: Allow unicast response;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPrivateAllowUnicastResponse')]"
                          },
                          {
                            "name": "Windows Firewall: Public: Allow unicast response;ExpectedValue",
                            "value": "[parameters('WindowsFirewallPublicAllowUnicastResponse')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "909c958d-1b99-4c74-b88f-46a5c5bc34f9"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "MembersToExclude": {
        "type": "String",
        "metadata": {
          "displayName": "Members to exclude",
          "description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AdministratorsGroupMembersToExclude",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[LocalGroup]AdministratorsGroup;MembersToExclude', '=', parameters('MembersToExclude')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AdministratorsGroupMembersToExclude"
                },
                "MembersToExclude": {
                  "value": "[parameters('MembersToExclude')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "MembersToExclude": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[LocalGroup]AdministratorsGroup;MembersToExclude",
                            "value": "[parameters('MembersToExclude')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[LocalGroup]AdministratorsGroup;MembersToExclude",
                            "value": "[parameters('MembersToExclude')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "144f1397-32f9-4598-8c88-118decc3ccba"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs in which the Administrators group contains any of the specified members (/providers/microsoft.authorization/policysetdefinitions/add1999e-a61c-46d3-b8c3-f35fb8398175) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "MembersToInclude": {
        "type": "String",
        "metadata": {
          "displayName": "Members to include",
          "description": "A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AdministratorsGroupMembersToInclude",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[LocalGroup]AdministratorsGroup;MembersToInclude', '=', parameters('MembersToInclude')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AdministratorsGroupMembersToInclude"
                },
                "MembersToInclude": {
                  "value": "[parameters('MembersToInclude')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "MembersToInclude": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[LocalGroup]AdministratorsGroup;MembersToInclude",
                            "value": "[parameters('MembersToInclude')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[LocalGroup]AdministratorsGroup;MembersToInclude",
                            "value": "[parameters('MembersToInclude')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "93507a81-10a4-4af0-9ee2-34cf25a96e98"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs in which the Administrators group does not contain all of the specified members (/providers/microsoft.authorization/policysetdefinitions/133046de-0bd7-4546-93f4-f452e9e258b7) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "Members": {
        "type": "String",
        "metadata": {
          "displayName": "Members",
          "description": "A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AdministratorsGroupMembers",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[LocalGroup]AdministratorsGroup;Members', '=', parameters('Members')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AdministratorsGroupMembers"
                },
                "Members": {
                  "value": "[parameters('Members')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "Members": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[LocalGroup]AdministratorsGroup;Members",
                            "value": "[parameters('Members')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[LocalGroup]AdministratorsGroup;Members",
                            "value": "[parameters('Members')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b821191b-3a12-44bc-9c38-212138a29ff3"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs in which the Administrators group does not contain only the specified members (/providers/microsoft.authorization/policysetdefinitions/06122b01-688c-42a8-af2e-fa97dd39aa3b) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsDscConfiguration",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "WindowsDscConfiguration"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d38b4c26-9d2e-47d7-aefe-18d859a8706a"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs on which the DSC configuration is not compliant (/providers/microsoft.authorization/policysetdefinitions/c58599d5-0d51-454f-aaf1-da18a5e76edd) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "WorkspaceId": {
        "type": "String",
        "metadata": {
          "displayName": "Connected workspace IDs",
          "description": "A semicolon-separated list of the workspace IDs that the Log Analytics agent should be connected to"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsLogAnalyticsAgentConnection",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId', '=', parameters('WorkspaceId')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "WindowsLogAnalyticsAgentConnection"
                },
                "WorkspaceId": {
                  "value": "[parameters('WorkspaceId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "WorkspaceId": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId",
                            "value": "[parameters('WorkspaceId')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId",
                            "value": "[parameters('WorkspaceId')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "68511db2-bd02-41c4-ae6b-1900a012968a"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs on which the Log Analytics agent is not connected as expected (/providers/microsoft.authorization/policysetdefinitions/06c5e415-a662-463a-bb85-ede14286b979) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "host": {
        "type": "String",
        "metadata": {
          "displayName": "Remote Host Name",
          "description": "Specifies the Domain Name System (DNS) name or IP address of the remote host machine."
        }
      },
      "port": {
        "type": "String",
        "metadata": {
          "displayName": "Port",
          "description": "The TCP port number on the remote host name."
        }
      },
      "shouldConnect": {
        "type": "String",
        "metadata": {
          "displayName": "Should connect to remote host",
          "description": "Must be 'True' or 'False'. 'True' indicates that the virtual machine should be able to establish a connection with the remote host specified, so the machine will be non-compliant if it cannot establish a connection. 'False' indicates that the virtual machine should not be able to establish a connection with the remote host specified, so the machine will be non-compliant if it can establish a connection."
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsRemoteConnection",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[WindowsRemoteConnection]WindowsRemoteConnection1;host', '=', parameters('host'), ',', '[WindowsRemoteConnection]WindowsRemoteConnection1;port', '=', parameters('port'), ',', '[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect', '=', parameters('shouldConnect')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "WindowsRemoteConnection"
                },
                "host": {
                  "value": "[parameters('host')]"
                },
                "port": {
                  "value": "[parameters('port')]"
                },
                "shouldConnect": {
                  "value": "[parameters('shouldConnect')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "host": {
                    "type": "string"
                  },
                  "port": {
                    "type": "string"
                  },
                  "shouldConnect": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[WindowsRemoteConnection]WindowsRemoteConnection1;host",
                            "value": "[parameters('host')]"
                          },
                          {
                            "name": "[WindowsRemoteConnection]WindowsRemoteConnection1;port",
                            "value": "[parameters('port')]"
                          },
                          {
                            "name": "[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect",
                            "value": "[parameters('shouldConnect')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[WindowsRemoteConnection]WindowsRemoteConnection1;host",
                            "value": "[parameters('host')]"
                          },
                          {
                            "name": "[WindowsRemoteConnection]WindowsRemoteConnection1;port",
                            "value": "[parameters('port')]"
                          },
                          {
                            "name": "[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect",
                            "value": "[parameters('shouldConnect')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5bb36dda-8a78-4df9-affd-4f05a8612a8a"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs on which the remote host connection status does not match the specified one (/providers/microsoft.authorization/policysetdefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "ServiceName": {
        "type": "String",
        "metadata": {
          "displayName": "Service names (supports wildcards)",
          "description": "A semicolon-separated list of the names of the services that should be installed and 'Running'. e.g. 'WinRm;Wi*'"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsServiceStatus",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[WindowsServiceStatus]WindowsServiceStatus1;ServiceName', '=', parameters('ServiceName')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "WindowsServiceStatus"
                },
                "ServiceName": {
                  "value": "[parameters('ServiceName')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "ServiceName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[WindowsServiceStatus]WindowsServiceStatus1;ServiceName",
                            "value": "[parameters('ServiceName')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[WindowsServiceStatus]WindowsServiceStatus1;ServiceName",
                            "value": "[parameters('ServiceName')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "32b1e4d4-6cd5-47b4-a935-169da8a5c262"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs on which the specified services are not installed and 'Running' (/providers/microsoft.authorization/policysetdefinitions/8eeec860-e2fa-4f89-a669-84942c57225f) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.1.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "NotAvailableMachineState": {
        "type": "String",
        "metadata": {
          "displayName": "State in which to show VMs on which Windows Defender Exploit Guard is not available",
          "description": "Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value to 'Non-Compliant' will make machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. Setting this value to 'Compliant' will make these machines compliant."
        },
        "allowedValues": [
          "Compliant",
          "Non-Compliant"
        ],
        "defaultValue": "Non-Compliant"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsDefenderExploitGuard",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState', '=', parameters('NotAvailableMachineState')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "WindowsDefenderExploitGuard"
                },
                "NotAvailableMachineState": {
                  "value": "[parameters('NotAvailableMachineState')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "NotAvailableMachineState": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState",
                            "value": "[parameters('NotAvailableMachineState')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState",
                            "value": "[parameters('NotAvailableMachineState')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2015-05-01-preview",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6a7a2bcf-f9be-4e35-9734-4f9657a70f1d"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled (/providers/microsoft.authorization/policysetdefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "2.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "EnforcePasswordHistory",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "EnforcePasswordHistory"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "726671ac-c4de-4908-8c7d-6043ae62e3b6"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "DomainName": {
        "type": "String",
        "metadata": {
          "displayName": "Domain Name (FQDN)",
          "description": "The fully qualified domain name (FQDN) that the Windows VMs should be joined to"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsDomainMembership",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[DomainMembership]WindowsDomainMembership;DomainName', '=', parameters('DomainName')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "WindowsDomainMembership"
                },
                "DomainName": {
                  "value": "[parameters('DomainName')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "DomainName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[DomainMembership]WindowsDomainMembership;DomainName",
                            "value": "[parameters('DomainName')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[DomainMembership]WindowsDomainMembership;DomainName",
                            "value": "[parameters('DomainName')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "315c850a-272d-4502-8935-b79010405970"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that are not joined to the specified domain (/providers/microsoft.authorization/policysetdefinitions/6b3c1e80-8ae5-405b-b021-c23d13b3959f) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "TimeZone": {
        "type": "String",
        "metadata": {
          "displayName": "Time zone",
          "description": "The expected time zone"
        },
        "allowedValues": [
          "(UTC-12:00) International Date Line West",
          "(UTC-11:00) Coordinated Universal Time-11",
          "(UTC-10:00) Aleutian Islands",
          "(UTC-10:00) Hawaii",
          "(UTC-09:30) Marquesas Islands",
          "(UTC-09:00) Alaska",
          "(UTC-09:00) Coordinated Universal Time-09",
          "(UTC-08:00) Baja California",
          "(UTC-08:00) Coordinated Universal Time-08",
          "(UTC-08:00) Pacific Time (US & Canada)",
          "(UTC-07:00) Arizona",
          "(UTC-07:00) Chihuahua, La Paz, Mazatlan",
          "(UTC-07:00) Mountain Time (US & Canada)",
          "(UTC-06:00) Central America",
          "(UTC-06:00) Central Time (US & Canada)",
          "(UTC-06:00) Easter Island",
          "(UTC-06:00) Guadalajara, Mexico City, Monterrey",
          "(UTC-06:00) Saskatchewan",
          "(UTC-05:00) Bogota, Lima, Quito, Rio Branco",
          "(UTC-05:00) Chetumal",
          "(UTC-05:00) Eastern Time (US & Canada)",
          "(UTC-05:00) Haiti",
          "(UTC-05:00) Havana",
          "(UTC-05:00) Indiana (East)",
          "(UTC-05:00) Turks and Caicos",
          "(UTC-04:00) Asuncion",
          "(UTC-04:00) Atlantic Time (Canada)",
          "(UTC-04:00) Caracas",
          "(UTC-04:00) Cuiaba",
          "(UTC-04:00) Georgetown, La Paz, Manaus, San Juan",
          "(UTC-04:00) Santiago",
          "(UTC-03:30) Newfoundland",
          "(UTC-03:00) Araguaina",
          "(UTC-03:00) Brasilia",
          "(UTC-03:00) Cayenne, Fortaleza",
          "(UTC-03:00) City of Buenos Aires",
          "(UTC-03:00) Greenland",
          "(UTC-03:00) Montevideo",
          "(UTC-03:00) Punta Arenas",
          "(UTC-03:00) Saint Pierre and Miquelon",
          "(UTC-03:00) Salvador",
          "(UTC-02:00) Coordinated Universal Time-02",
          "(UTC-02:00) Mid-Atlantic - Old",
          "(UTC-01:00) Azores",
          "(UTC-01:00) Cabo Verde Is.",
          "(UTC) Coordinated Universal Time",
          "(UTC+00:00) Dublin, Edinburgh, Lisbon, London",
          "(UTC+00:00) Monrovia, Reykjavik",
          "(UTC+00:00) Sao Tome",
          "(UTC+01:00) Casablanca",
          "(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna",
          "(UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague",
          "(UTC+01:00) Brussels, Copenhagen, Madrid, Paris",
          "(UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb",
          "(UTC+01:00) West Central Africa",
          "(UTC+02:00) Amman",
          "(UTC+02:00) Athens, Bucharest",
          "(UTC+02:00) Beirut",
          "(UTC+02:00) Cairo",
          "(UTC+02:00) Chisinau",
          "(UTC+02:00) Damascus",
          "(UTC+02:00) Gaza, Hebron",
          "(UTC+02:00) Harare, Pretoria",
          "(UTC+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius",
          "(UTC+02:00) Jerusalem",
          "(UTC+02:00) Kaliningrad",
          "(UTC+02:00) Khartoum",
          "(UTC+02:00) Tripoli",
          "(UTC+02:00) Windhoek",
          "(UTC+03:00) Baghdad",
          "(UTC+03:00) Istanbul",
          "(UTC+03:00) Kuwait, Riyadh",
          "(UTC+03:00) Minsk",
          "(UTC+03:00) Moscow, St. Petersburg",
          "(UTC+03:00) Nairobi",
          "(UTC+03:30) Tehran",
          "(UTC+04:00) Abu Dhabi, Muscat",
          "(UTC+04:00) Astrakhan, Ulyanovsk",
          "(UTC+04:00) Baku",
          "(UTC+04:00) Izhevsk, Samara",
          "(UTC+04:00) Port Louis",
          "(UTC+04:00) Saratov",
          "(UTC+04:00) Tbilisi",
          "(UTC+04:00) Volgograd",
          "(UTC+04:00) Yerevan",
          "(UTC+04:30) Kabul",
          "(UTC+05:00) Ashgabat, Tashkent",
          "(UTC+05:00) Ekaterinburg",
          "(UTC+05:00) Islamabad, Karachi",
          "(UTC+05:00) Qyzylorda",
          "(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi",
          "(UTC+05:30) Sri Jayawardenepura",
          "(UTC+05:45) Kathmandu",
          "(UTC+06:00) Astana",
          "(UTC+06:00) Dhaka",
          "(UTC+06:00) Omsk",
          "(UTC+06:30) Yangon (Rangoon)",
          "(UTC+07:00) Bangkok, Hanoi, Jakarta",
          "(UTC+07:00) Barnaul, Gorno-Altaysk",
          "(UTC+07:00) Hovd",
          "(UTC+07:00) Krasnoyarsk",
          "(UTC+07:00) Novosibirsk",
          "(UTC+07:00) Tomsk",
          "(UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi",
          "(UTC+08:00) Irkutsk",
          "(UTC+08:00) Kuala Lumpur, Singapore",
          "(UTC+08:00) Perth",
          "(UTC+08:00) Taipei",
          "(UTC+08:00) Ulaanbaatar",
          "(UTC+08:45) Eucla",
          "(UTC+09:00) Chita",
          "(UTC+09:00) Osaka, Sapporo, Tokyo",
          "(UTC+09:00) Pyongyang",
          "(UTC+09:00) Seoul",
          "(UTC+09:00) Yakutsk",
          "(UTC+09:30) Adelaide",
          "(UTC+09:30) Darwin",
          "(UTC+10:00) Brisbane",
          "(UTC+10:00) Canberra, Melbourne, Sydney",
          "(UTC+10:00) Guam, Port Moresby",
          "(UTC+10:00) Hobart",
          "(UTC+10:00) Vladivostok",
          "(UTC+10:30) Lord Howe Island",
          "(UTC+11:00) Bougainville Island",
          "(UTC+11:00) Chokurdakh",
          "(UTC+11:00) Magadan",
          "(UTC+11:00) Norfolk Island",
          "(UTC+11:00) Sakhalin",
          "(UTC+11:00) Solomon Is., New Caledonia",
          "(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky",
          "(UTC+12:00) Auckland, Wellington",
          "(UTC+12:00) Coordinated Universal Time+12",
          "(UTC+12:00) Fiji",
          "(UTC+12:00) Petropavlovsk-Kamchatsky - Old",
          "(UTC+12:45) Chatham Islands",
          "(UTC+13:00) Coordinated Universal Time+13",
          "(UTC+13:00) Nuku'alofa",
          "(UTC+13:00) Samoa",
          "(UTC+14:00) Kiritimati Island"
        ]
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsTimeZone",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[WindowsTimeZone]WindowsTimeZone1;TimeZone', '=', parameters('TimeZone')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "WindowsTimeZone"
                },
                "TimeZone": {
                  "value": "[parameters('TimeZone')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "TimeZone": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[WindowsTimeZone]WindowsTimeZone1;TimeZone",
                            "value": "[parameters('TimeZone')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[WindowsTimeZone]WindowsTimeZone1;TimeZone",
                            "value": "[parameters('TimeZone')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c21f7060-c148-41cf-a68b-0ab3e14c764c"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that are not set to the specified time zone (/providers/microsoft.authorization/policysetdefinitions/538942d3-3fae-4fb6-9d94-744f9a51e7da) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "CertificateStorePath": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate store path",
          "description": "The path to the certificate store containing the certificates to check the expiration dates of. Default value is 'Cert:' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: 'Cert:\\LocalMachine', 'Cert:\\LocalMachine\\TrustedPublisher', 'Cert:\\CurrentUser'"
        },
        "defaultValue": "Cert:"
      },
      "ExpirationLimitInDays": {
        "type": "String",
        "metadata": {
          "displayName": "Expiration limit in days",
          "description": "An integer indicating the number of days within which to check for certificates that are expiring. For example, if this value is 30, any certificate expiring within the next 30 days will cause this policy to be non-compliant."
        },
        "defaultValue": "30"
      },
      "CertificateThumbprintsToInclude": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate thumbprints to include",
          "description": "A semicolon-separated list of certificate thumbprints to check under the specified path. If a value is not specified, all certificates under the certificate store path will be checked. If a value is specified, no certificates other than those with the thumbprints specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
        },
        "defaultValue": ""
      },
      "CertificateThumbprintsToExclude": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate thumbprints to exclude",
          "description": "A semicolon-separated list of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
        },
        "defaultValue": ""
      },
      "IncludeExpiredCertificates": {
        "type": "String",
        "metadata": {
          "displayName": "Include expired certificates",
          "description": "Must be 'true' or 'false'. True indicates that any found certificates that have already expired will also make this policy non-compliant. False indicates that certificates that have expired will be be ignored."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "CertificateExpiration",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[CertificateStore]CertificateStore1;CertificateStorePath', '=', parameters('CertificateStorePath'), ',', '[CertificateStore]CertificateStore1;ExpirationLimitInDays', '=', parameters('ExpirationLimitInDays'), ',', '[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude', '=', parameters('CertificateThumbprintsToInclude'), ',', '[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude', '=', parameters('CertificateThumbprintsToExclude'), ',', '[CertificateStore]CertificateStore1;IncludeExpiredCertificates', '=', parameters('IncludeExpiredCertificates')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "CertificateExpiration"
                },
                "CertificateStorePath": {
                  "value": "[parameters('CertificateStorePath')]"
                },
                "ExpirationLimitInDays": {
                  "value": "[parameters('ExpirationLimitInDays')]"
                },
                "CertificateThumbprintsToInclude": {
                  "value": "[parameters('CertificateThumbprintsToInclude')]"
                },
                "CertificateThumbprintsToExclude": {
                  "value": "[parameters('CertificateThumbprintsToExclude')]"
                },
                "IncludeExpiredCertificates": {
                  "value": "[parameters('IncludeExpiredCertificates')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "CertificateStorePath": {
                    "type": "string"
                  },
                  "ExpirationLimitInDays": {
                    "type": "string"
                  },
                  "CertificateThumbprintsToInclude": {
                    "type": "string"
                  },
                  "CertificateThumbprintsToExclude": {
                    "type": "string"
                  },
                  "IncludeExpiredCertificates": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[CertificateStore]CertificateStore1;CertificateStorePath",
                            "value": "[parameters('CertificateStorePath')]"
                          },
                          {
                            "name": "[CertificateStore]CertificateStore1;ExpirationLimitInDays",
                            "value": "[parameters('ExpirationLimitInDays')]"
                          },
                          {
                            "name": "[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude",
                            "value": "[parameters('CertificateThumbprintsToInclude')]"
                          },
                          {
                            "name": "[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude",
                            "value": "[parameters('CertificateThumbprintsToExclude')]"
                          },
                          {
                            "name": "[CertificateStore]CertificateStore1;IncludeExpiredCertificates",
                            "value": "[parameters('IncludeExpiredCertificates')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[CertificateStore]CertificateStore1;CertificateStorePath",
                            "value": "[parameters('CertificateStorePath')]"
                          },
                          {
                            "name": "[CertificateStore]CertificateStore1;ExpirationLimitInDays",
                            "value": "[parameters('ExpirationLimitInDays')]"
                          },
                          {
                            "name": "[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude",
                            "value": "[parameters('CertificateThumbprintsToInclude')]"
                          },
                          {
                            "name": "[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude",
                            "value": "[parameters('CertificateThumbprintsToExclude')]"
                          },
                          {
                            "name": "[CertificateStore]CertificateStore1;IncludeExpiredCertificates",
                            "value": "[parameters('IncludeExpiredCertificates')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c5fbc59e-fb6f-494f-81e2-d99a671bdaa8"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that contain certificates expiring within the specified number of days (/providers/microsoft.authorization/policysetdefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "CertificateThumbprints": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate thumbprints",
          "description": "A semicolon-separated list of certificate thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsCertificateInTrustedRoot",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude', '=', parameters('CertificateThumbprints')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "WindowsCertificateInTrustedRoot"
                },
                "CertificateThumbprints": {
                  "value": "[parameters('CertificateThumbprints')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "CertificateThumbprints": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude",
                            "value": "[parameters('CertificateThumbprints')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude",
                            "value": "[parameters('CertificateThumbprints')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "106ccbe4-a791-4f33-a44a-06796944b8d5"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not contain the specified certificates in Trusted Root (/providers/microsoft.authorization/policysetdefinitions/cdfcc6ff-945e-4bc6-857e-056cbc511e0c) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "2.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "MaximumPasswordAge",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "MaximumPasswordAge"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "356a906e-05e5-4625-8729-90771e0ee934"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "2.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "MinimumPasswordAge",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "MinimumPasswordAge"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "16390df4-2f73-4b42-af13-c801066763df"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "2.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "PasswordMustMeetComplexityRequirements",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "PasswordMustMeetComplexityRequirements"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "installedApplication": {
        "type": "String",
        "metadata": {
          "displayName": "Application names (supports wildcards)",
          "description": "A semicolon-separated list of the names of the applications that should be installed. e.g. 'Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL Server 2014*' (to match any application starting with 'Microsoft SQL Server 2014')"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WhitelistedApplication",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[InstalledApplication]bwhitelistedapp;Name', '=', parameters('installedApplication')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "WhitelistedApplication"
                },
                "installedApplication": {
                  "value": "[parameters('installedApplication')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "installedApplication": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[InstalledApplication]bwhitelistedapp;Name",
                            "value": "[parameters('installedApplication')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[InstalledApplication]bwhitelistedapp;Name",
                            "value": "[parameters('installedApplication')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "12f7e5d0-42a7-4630-80d8-54fb7cff9bd6"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not have the specified applications installed (/providers/microsoft.authorization/policysetdefinitions/25ef9b72-4af2-4501-acd1-fc814e73dde1) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "ExecutionPolicy": {
        "type": "String",
        "metadata": {
          "displayName": "PowerShell Execution Policy",
          "description": "The expected PowerShell execution policy."
        },
        "allowedValues": [
          "AllSigned",
          "Bypass",
          "Default",
          "RemoteSigned",
          "Restricted",
          "Undefined",
          "Unrestricted"
        ]
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsPowerShellExecutionPolicy",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy', '=', parameters('ExecutionPolicy')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "WindowsPowerShellExecutionPolicy"
                },
                "ExecutionPolicy": {
                  "value": "[parameters('ExecutionPolicy')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "ExecutionPolicy": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy",
                            "value": "[parameters('ExecutionPolicy')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy",
                            "value": "[parameters('ExecutionPolicy')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e0efc13a-122a-47c5-b817-2ccfe5d12615"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not have the specified Windows PowerShell execution policy (/providers/microsoft.authorization/policysetdefinitions/f000289c-47af-4043-87da-91ba9e1a2720) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "Modules": {
        "type": "String",
        "metadata": {
          "displayName": "PowerShell Modules",
          "description": "A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version of a module that should be installed by including a comma after the module name, followed by the desired version. e.g. PSDscResources; SqlServerDsc, 12.0.0.0; ComputerManagementDsc, 6.1.0.0"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsPowerShellModules",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[PowerShellModules]PowerShellModules1;Modules', '=', parameters('Modules')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "WindowsPowerShellModules"
                },
                "Modules": {
                  "value": "[parameters('Modules')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "Modules": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[PowerShellModules]PowerShellModules1;Modules",
                            "value": "[parameters('Modules')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[PowerShellModules]PowerShellModules1;Modules",
                            "value": "[parameters('Modules')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "90ba2ee7-4ca8-4673-84d1-c851c50d3baf"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not have the specified Windows PowerShell modules installed (/providers/microsoft.authorization/policysetdefinitions/c980fd64-c67f-49a6-a8a8-e57661150802) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "2.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "MinimumPasswordLength",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "MinimumPasswordLength"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "23020aa6-1135-4be2-bae2-149982b06eca"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "2.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "StorePasswordsUsingReversibleEncryption",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "StorePasswordsUsingReversibleEncryption"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8ff0b18b-262e-4512-857a-48ad0aeb9a78"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.1.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "NumberOfDays": {
        "type": "String",
        "metadata": {
          "displayName": "Number of days",
          "description": "The number of days without restart until the machine is considered non-compliant"
        },
        "defaultValue": "12"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "MachineLastBootUpTime",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[MachineUpTime]MachineLastBootUpTime;NumberOfDays', '=', parameters('NumberOfDays')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "MachineLastBootUpTime"
                },
                "NumberOfDays": {
                  "value": "[parameters('NumberOfDays')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "NumberOfDays": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[MachineUpTime]MachineLastBootUpTime;NumberOfDays",
                            "value": "[parameters('NumberOfDays')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[MachineUpTime]MachineLastBootUpTime;NumberOfDays",
                            "value": "[parameters('NumberOfDays')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f4b245d4-46c9-42be-9b1a-49e2b5b94194"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that have not restarted within the specified number of days (/providers/microsoft.authorization/policysetdefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "ApplicationName": {
        "type": "String",
        "metadata": {
          "displayName": "Application names (supports wildcards)",
          "description": "A semicolon-separated list of the names of the applications that should not be installed. e.g. 'Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL Server 2014*' (to match any application starting with 'Microsoft SQL Server 2014')"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "NotInstalledApplication",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
            "equals": "[base64(concat('[InstalledApplication]NotInstalledApplicationResource1;Name', '=', parameters('ApplicationName')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "NotInstalledApplication"
                },
                "ApplicationName": {
                  "value": "[parameters('ApplicationName')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "ApplicationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[InstalledApplication]NotInstalledApplicationResource1;Name",
                            "value": "[parameters('ApplicationName')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[InstalledApplication]NotInstalledApplicationResource1;Name",
                            "value": "[parameters('ApplicationName')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f0633351-c7b2-41ff-9981-508fc08553c2"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that have the specified applications installed (/providers/microsoft.authorization/policysetdefinitions/d7fff7ea-9d47-4952-b854-b7da261e48f2) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsPendingReboot",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "WindowsPendingReboot"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*"
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c96f3246-4382-4264-bf6b-af0b35e23c3c"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs with a pending reboot (/providers/microsoft.authorization/policysetdefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "parameters": {
      "MinimumTLSVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum TLS version",
          "description": "The minimum TLS protocol version that should be enabled. Windows web servers with lower TLS versions will be marked as non-compliant."
        },
        "allowedValues": [
          "1.1",
          "1.2"
        ],
        "defaultValue": "1.1"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AuditSecureProtocol",
          "existenceCondition": {
            "anyOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[SecureWebServer]s1;MinimumTLSVersion', '=', parameters('MinimumTLSVersion')))]"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                    "equals": ""
                  },
                  {
                    "value": "[parameters('MinimumTLSVersion')]",
                    "equals": "1.1"
                  }
                ]
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "AuditSecureProtocol"
                },
                "MinimumTLSVersion": {
                  "value": "[parameters('MinimumTLSVersion')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "MinimumTLSVersion": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[SecureWebServer]s1;MinimumTLSVersion",
                            "value": "[parameters('MinimumTLSVersion')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[SecureWebServer]s1;MinimumTLSVersion",
                            "value": "[parameters('MinimumTLSVersion')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b2fc8f91-866d-4434-9089-5ebfe38d6fd8"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows web servers that are not using secure communication protocols (/providers/microsoft.authorization/policysetdefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol.",
    "metadata": {
      "version": "3.0.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imagePublisher",
                "in": [
                  "microsoft-aks",
                  "qubole-inc",
                  "datastax",
                  "couchbase",
                  "scalegrid",
                  "checkpoint",
                  "paloaltonetworks",
                  "debian"
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "CentOS*"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Oracle"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Oracle-Linux"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-HA",
                      "RHEL-SAP",
                      "RHEL-SAP-APPS",
                      "RHEL-SAP-HA",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "osa",
                      "rhel-byos"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "center-for-internet-security-inc"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "cis-centos-7-l1",
                      "cis-centos-7-v2-1-1-l1",
                      "cis-centos-8-l1",
                      "cis-debian-linux-8-l1",
                      "cis-debian-linux-9-l1",
                      "cis-nginx-centos-7-v1-1-0-l1",
                      "cis-oracle-linux-7-v2-0-0-l1",
                      "cis-oracle-linux-8-l1",
                      "cis-postgresql-11-centos-linux-7-level-1",
                      "cis-rhel-7-l2",
                      "cis-rhel-7-v2-2-0-l1",
                      "cis-rhel-8-l1",
                      "cis-suse-linux-12-v2-0-0-l1",
                      "cis-ubuntu-linux-1604-v1-0-0-l1",
                      "cis-ubuntu-linux-1804-l1"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "credativ"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Debian"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "7*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Suse"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "SLES*"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "11*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "12*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-dsvm"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "linux-data-science-vm-ubuntu",
                      "azureml"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-altus-centos-os"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "linux*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                        "exists": "true"
                      },
                      {
                        "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                        "like": "Linux*"
                      }
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "exists": "false"
                      },
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "notIn": [
                          "OpenLogic",
                          "RedHat",
                          "credativ",
                          "Suse",
                          "Canonical",
                          "microsoft-dsvm",
                          "cloudera",
                          "microsoft-ads",
                          "center-for-internet-security-inc",
                          "Oracle"
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "name": "AzurePolicyforLinux",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.GuestConfiguration"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "ConfigurationforLinux"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforLinux')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforLinux",
                      "typeHandlerVersion": "1.0",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol.",
    "metadata": {
      "version": "1.2.0-deprecated",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imagePublisher",
                "in": [
                  "esri",
                  "incredibuild",
                  "MicrosoftDynamicsAX",
                  "MicrosoftSharepoint",
                  "MicrosoftVisualStudio",
                  "MicrosoftWindowsDesktop",
                  "MicrosoftWindowsServerHPCPack"
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "2008*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "notLike": "SQL2008*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-dsvm"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "dsvm-windows"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "standard-data-science-vm",
                      "windows-data-science-vm"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "batch"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "rendering-windows2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "center-for-internet-security-inc"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "cis-windows-server-201*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "pivotal"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "bosh-windows-server*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloud-infrastructure-services"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "ad*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                        "exists": "true"
                      },
                      {
                        "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                        "like": "Windows*"
                      }
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "exists": "false"
                      },
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "notLike": "2008*"
                          },
                          {
                            "field": "Microsoft.Compute/imageOffer",
                            "notLike": "SQL2008*"
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "name": "AzurePolicyforWindows",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.GuestConfiguration"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "ConfigurationforWindows"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "apiVersion": "2019-07-01",
                    "type": "Microsoft.Compute/virtualMachines",
                    "identity": {
                      "type": "SystemAssigned"
                    },
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]"
                  },
                  {
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0ecd903d-91e7-4726-83d3-a229d7f2e293"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Deprecated]: Do not allow privileged containers in AKS",
    "policyType": "BuiltIn",
    "mode": "Microsoft.ContainerService.Data",
    "description": "This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "Kubernetes service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "EnforceRegoPolicy",
          "Disabled"
        ],
        "defaultValue": "EnforceRegoPolicy"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "policyId": "ContainerNoPrivilege",
          "policy": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego"
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7ce7ac02-a5c6-45d6-8d1b-844feb1c1531"
}
BuiltIn Kubernetes service True False n/a n/a EnforceRegoPolicy false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "SQL",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/managedInstances"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/managedInstances/securityAlertPolicies",
          "name": "default",
          "existenceCondition": {
            "field": "Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins",
            "equals": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "aeb23562-188d-47cb-80b8-551f16ef9fff"
}
BuiltIn SQL True False n/a n/a Disabled false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "SQL",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/securityAlertPolicies",
          "name": "default",
          "existenceCondition": {
            "field": "Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins",
            "equals": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c8343d2f-fdc9-4a97-b76f-fc71d1163bfc"
}
BuiltIn SQL True False n/a n/a Disabled false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Enforce HTTPS ingress in AKS",
    "policyType": "BuiltIn",
    "mode": "Microsoft.ContainerService.Data",
    "description": "This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "Kubernetes service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "EnforceRegoPolicy",
          "Disabled"
        ],
        "defaultValue": "EnforceRegoPolicy"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "policyId": "HttpsIngressOnly",
          "policy": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego"
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2fbff515-eecc-4b7e-9b63-fcc7138b7dc3"
}
BuiltIn Kubernetes service True False n/a n/a EnforceRegoPolicy false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Enforce internal load balancers in AKS",
    "policyType": "BuiltIn",
    "mode": "Microsoft.ContainerService.Data",
    "description": "This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "Kubernetes service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "EnforceRegoPolicy",
          "Disabled"
        ],
        "defaultValue": "EnforceRegoPolicy"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "policyId": "LoadBalancersInternal",
          "policy": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego"
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a74d8f00-2fd9-4ce4-968e-0ee1eb821698"
}
BuiltIn Kubernetes service True False n/a n/a EnforceRegoPolicy false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Enforce labels on pods in AKS",
    "policyType": "BuiltIn",
    "mode": "Microsoft.ContainerService.Data",
    "description": "This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "Kubernetes service",
      "deprecated": true
    },
    "parameters": {
      "commaSeparatedListOfLabels": {
        "type": "String",
        "metadata": {
          "displayName": "Comma-separated list of labels",
          "description": "A comma-separated list of labels to be specified on Pods in Kubernetes cluster. E.g. test1,test2"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "EnforceRegoPolicy",
          "Disabled"
        ],
        "defaultValue": "EnforceRegoPolicy"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "policyId": "PodEnforceLabels",
          "policy": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/pod-enforce-labels/limited-preview/gatekeeperpolicy.rego",
          "policyParameters": {
            "commaSeparatedListOfLabels": "[parameters('commaSeparatedListOfLabels')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/16c6ca72-89d2-4798-b87e-496f9de7fcb7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "16c6ca72-89d2-4798-b87e-496f9de7fcb7"
}
BuiltIn Kubernetes service True False n/a n/a EnforceRegoPolicy false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Enforce unique ingress hostnames across namespaces in AKS",
    "policyType": "BuiltIn",
    "mode": "Microsoft.ContainerService.Data",
    "description": "This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "Kubernetes service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "EnforceRegoPolicy",
          "Disabled"
        ],
        "defaultValue": "EnforceRegoPolicy"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "policyId": "UniqueIngressHostnames",
          "policy": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego"
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d011d9f7-ba32-4005-b727-b3d09371ca60"
}
BuiltIn Kubernetes service True False n/a n/a EnforceRegoPolicy false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "4.0.1-deprecated",
      "category": "Kubernetes",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "deny"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/template.yaml",
          "constraint": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "values": {
            "excludedNamespaces": "[parameters('excludedNamespaces')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b2fd3e59-6390-4f2b-8247-ea676bd03e2d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b2fd3e59-6390-4f2b-8247-ea676bd03e2d"
}
BuiltIn Kubernetes True False n/a n/a deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Ensure containers listen only on allowed ports in AKS",
    "policyType": "BuiltIn",
    "mode": "Microsoft.ContainerService.Data",
    "description": "This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "Kubernetes service",
      "deprecated": true
    },
    "parameters": {
      "allowedContainerPortsRegex": {
        "type": "String",
        "metadata": {
          "displayName": "Allowed container ports regex",
          "description": "Regex representing container ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "EnforceRegoPolicy",
          "Disabled"
        ],
        "defaultValue": "EnforceRegoPolicy"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "policyId": "ContainerAllowedPorts",
          "policy": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego",
          "policyParameters": {
            "allowedContainerPortsRegex": "[parameters('allowedContainerPortsRegex')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0f636243-1b1c-4d50-880f-310f6199f2cb"
}
BuiltIn Kubernetes service True False n/a n/a EnforceRegoPolicy false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS",
    "policyType": "BuiltIn",
    "mode": "Microsoft.ContainerService.Data",
    "description": "This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "Kubernetes service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "EnforceRegoPolicy",
          "Disabled"
        ],
        "defaultValue": "EnforceRegoPolicy"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "policyId": "ContainerResourceLimits",
          "policy": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego"
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a2d3ed81-8d11-4079-80a5-1faadc0024f4"
}
BuiltIn Kubernetes service True False n/a n/a EnforceRegoPolicy false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Ensure Function app is using the latest version of TLS encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "App Service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "functionapp*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.minTlsVersion",
            "equals": "1.2"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "58d94fc1-a072-47c2-bd37-9cdb38e77453"
}
BuiltIn App Service True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Ensure only allowed container images in AKS",
    "policyType": "BuiltIn",
    "mode": "Microsoft.ContainerService.Data",
    "description": "This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "Kubernetes service",
      "deprecated": true
    },
    "parameters": {
      "allowedContainerImagesRegex": {
        "type": "String",
        "metadata": {
          "displayName": "Allowed container images regex",
          "description": "Regex representing container images allowed in Kubernetes cluster. E.g. Regex of azure container registry images is ^.+azurecr.io/.+$"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "EnforceRegoPolicy",
          "Disabled"
        ],
        "defaultValue": "EnforceRegoPolicy"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "policyId": "ContainerAllowedImages",
          "policy": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-images/limited-preview/gatekeeperpolicy.rego",
          "policyParameters": {
            "allowedContainerImagesRegex": "[parameters('allowedContainerImagesRegex')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5f86cb6e-c4da-441b-807c-44bd0cc14e66",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5f86cb6e-c4da-441b-807c-44bd0cc14e66"
}
BuiltIn Kubernetes service True False n/a n/a EnforceRegoPolicy false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Ensure services listen only on allowed ports in AKS",
    "policyType": "BuiltIn",
    "mode": "Microsoft.ContainerService.Data",
    "description": "This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "Kubernetes service",
      "deprecated": true
    },
    "parameters": {
      "allowedServicePortsRegex": {
        "type": "String",
        "metadata": {
          "displayName": "Allowed service ports regex",
          "description": "Regex representing service ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "EnforceRegoPolicy",
          "Disabled"
        ],
        "defaultValue": "EnforceRegoPolicy"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "policyId": "ServiceAllowedPorts",
          "policy": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/service-allowed-ports/limited-preview/gatekeeperpolicy.rego",
          "policyParameters": {
            "allowedServicePortsRegex": "[parameters('allowedServicePortsRegex')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/25dee3db-6ce0-4c02-ab5d-245887b24077",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "25dee3db-6ce0-4c02-ab5d-245887b24077"
}
BuiltIn Kubernetes service True False n/a n/a EnforceRegoPolicy false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "App Service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.netFrameworkVersion",
            "in": [
              "v3.0",
              "v4.0"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c2e7ca55-f62c-49b2-89a4-d41eb661d2f0"
}
BuiltIn App Service True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "App Service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "functionapp*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.netFrameworkVersion",
            "in": [
              "v3.0",
              "v4.0"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "10c1859c-e1a7-4df3-ab97-a487fa8059f6"
}
BuiltIn App Service True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "App Service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.netFrameworkVersion",
            "in": [
              "v3.0",
              "v4.0"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "843664e0-7563-41ee-a9cb-7522c382d2c4"
}
BuiltIn App Service True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "PHP cannot be used with Function apps.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "App Service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "PHPLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest PHP version",
          "description": "Latest supported PHP version for App Services"
        },
        "defaultValue": "7.3"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "functionapp*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                    "notContains": "PHP"
                  },
                  {
                    "field": "Microsoft.Web/sites/config/web.phpVersion",
                    "equals": ""
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                    "equals": "[concat('PHP|', parameters('PHPLatestVersion'))]"
                  },
                  {
                    "field": "Microsoft.Web/sites/config/web.phpVersion",
                    "equals": ""
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                    "equals": ""
                  },
                  {
                    "field": "Microsoft.Web/sites/config/web.phpVersion",
                    "equals": "[parameters('PHPLatestVersion')]"
                  }
                ]
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ab965db2-d2bf-4b64-8b39-c38ec8179461"
}
BuiltIn App Service True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "App Service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.managedServiceIdentityId",
            "exists": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "86d97760-d216-4d81-a3ad-163087b2b6c3"
}
BuiltIn App Service True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "App Service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "functionapp*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.managedServiceIdentityId",
            "exists": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f0473e7a-a1ba-4e86-afb2-e829e11b01d8"
}
BuiltIn App Service True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "App Service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.managedServiceIdentityId",
            "exists": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "aa81768c-cb87-4ce2-bfaa-00baa10d760c"
}
BuiltIn App Service True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Ensure WEB app is using the latest version of TLS encryption ",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "App Service",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.minTlsVersion",
            "equals": "1.2"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6ad61431-88ce-4357-a0e1-6da43f292bd7"
}
BuiltIn App Service True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Function App should only be accessible over HTTPS",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "functionapp"
              },
              {
                "field": "kind",
                "equals": "functionapp,linux"
              },
              {
                "field": "kind",
                "equals": "functionapp,linux,container"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "OnlyHttpsForFunctionApp",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5df82f4f-773a-4a2d-97a2-422a806f1a55"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists true 1 /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/microsoft.authorization/policyassignments/bcdd1466e4fc5114b6e5f13d (testDeprecatedAssignment) false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Monitor permissive network access in Azure Security Center",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Network Security Groups with too permissive rules will be monitored by Azure Security Center as recommendations",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "permissiveNetworkAccess",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "44452482-524f-4bf4-b852-0bff7cc4a3ed"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Monitor unaudited SQL servers in Azure Security Center",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "SQL servers which don't have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: 'Auditing should be enabled on advanced data security settings on SQL Server'",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.SQL/servers"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "auditing",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "af8051bf-258b-44e2-a2bf-165330459f9d"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Monitor unencrypted SQL databases in Azure Security Center",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent Data Encryption on SQL databases should be enabled'",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.SQL/servers/databases"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "encryption",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a8bef009-a5c9-4d0f-90d7-6018734e8a16"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Operating system version should be the most current version for your cloud service roles",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.ClassicCompute/domainNames/slots/roles"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "8bc390da-9eb6-938d-25ed-44a35d9bcc9d",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5a913c68-0590-402c-a531-e57e19379da3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5a913c68-0590-402c-a531-e57e19379da3"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Pod Security Policies should be defined on Kubernetes Services",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerService/managedClusters"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy",
                "exists": "false"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy",
                "equals": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3abeb944-26af-43ee-b83d-32aaf060fb94"
}
BuiltIn Security Center True False n/a n/a Disabled false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Require blob encryption for storage accounts",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy ensures blob encryption for storage accounts is turned on. It only applies to Microsoft.Storage resource types, not other storage providers. This policy is deprecated because storage blob encryption is now enabled by default, and can no longer be disabled.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Storage",
      "deprecated": true
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/enableBlobEncryption",
            "equals": "false"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f"
}
BuiltIn Storage True False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Require SQL Server version 12.0",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version other than 12.0.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "SQL",
      "deprecated": true
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "not": {
              "field": "Microsoft.Sql/servers/version",
              "equals": "12.0"
            }
          }
        ]
      },
      "then": {
        "effect": "Deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"
}
BuiltIn SQL True False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Service Bus should use a virtual network service endpoint",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any Service Bus not configured to use a virtual network service endpoint. The resource type Microsoft.ServiceBus/namespaces/virtualNetworkRules is deprecated in the latest API version.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Network",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ServiceBus/namespaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.ServiceBus/namespaces/virtualNetworkRules",
          "existenceCondition": {
            "field": "Microsoft.ServiceBus/namespaces/virtualNetworkRules/virtualNetworkSubnetId",
            "exists": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "235359c5-7c52-4b82-9055-01c75cf9f60e"
}
BuiltIn Network True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "3.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "PasswordPolicy_msid110",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2d67222d-05fd-4526-a171-2ee132ad9e83"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "3.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "PasswordPolicy_msid121",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b18175dd-c599-4c64-83ba-bb018a06d35b"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "3.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "installed_application_linux",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "fee5cb2b-9d9b-410e-afe3-2902d90d0004"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Linux VMs that do not have the specified applications installed (/providers/microsoft.authorization/policysetdefinitions/c937dcb4-4398-4b39-8d63-4a6be432252e) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Linux VMs that have accounts without passwords",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "3.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "PasswordPolicy_msid232",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c40c9087-1981-4e73-9f53-39743eda9d05"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Linux VMs that have the specified applications installed",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "3.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "not_installed_application_linux",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5b842acb-0fe7-41b0-9f40-880ec4ad84d8"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Linux VMs that have the specified applications installed (/providers/microsoft.authorization/policysetdefinitions/f48bcc78-5400-4fb0-b913-5140a2e5fa20) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows Server VMs on which Windows Serial Console is not enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsSerialConsole",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d7ccd0ca-8d78-42af-a43d-6b7f928accbc"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows Server VMs on which Windows Serial Console is not enabled (/providers/microsoft.authorization/policysetdefinitions/acb6cd8e-45f5-466f-b3cb-ff6fce525f71) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_AdministrativeTemplatesControlPanel",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "87b590fe-4a1d-4697-ae74-d4fe72ab786c"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_AdminstrativeTemplatesMSSLegacy",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "97646672-5efa-4622-9b54-740270ad60bf"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_AdministrativeTemplatesNetwork",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7229bd6a-693d-478a-87f0-1dc1af06f3b8"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_AdministrativeTemplatesSystem",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a1e8dda3-9fd2-4835-aec3-0e55531fde33"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsAccounts",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b872a447-cc6f-43b9-bccf-45703cd81607"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsAudit",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "21e2995e-683e-497a-9e81-2f42ad07050a"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsDevices",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3d7b154e-2700-4c8c-9e46-cb65ac1578c2"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsInteractiveLogon",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c8abcef9-fc26-482f-b8db-5fa60ee4586d"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsMicrosoftNetworkClient",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "fcbc55c9-f25a-4e55-a6cb-33acb3be778b"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsMicrosoftNetworkServer",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsNetworkAccess",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "30040dab-4e75-4456-8273-14b8f75d91d9"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsNetworkSecurity",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5c028d2a-1889-45f6-b821-31f42711ced8"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsRecoveryconsole",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ba12366f-f9a6-42b8-9d98-157d0b1a837b"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsShutdown",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e3a77a94-cf41-4ee8-b45c-98be28841c03"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsSystemobjects",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "620e58b5-ac75-49b4-993f-a9d4f0459636"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsSystemsettings",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8a39d1f1-5513-4628-b261-f469a5a3341b"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsUserAccountControl",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "29829ec2-489d-4925-81b7-bda06b1718e0"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecuritySettingsAccountPolicies",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ddb53c61-9db4-41d4-a953-2abff5b66c12"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesAccountLogon",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bc87d811-4a9b-47cc-ae54-0a41abda7768"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesAccountManagement",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "225e937e-d32e-4713-ab74-13ce95b3519a"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesDetailedTracking",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a9a33475-481d-4b81-9116-0bf02ffe67e8"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesLogonLogoff",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b3802d79-dd88-4bce-b81d-780218e48280"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesObjectAccess",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "60aeaf73-a074-417a-905f-7ce9df0ff77b"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesPolicyChange",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "dd4680ed-0559-4a6a-ad10-081d14cbb484"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesPrivilegeUse",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesSystem",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7066131b-61a6-4917-a7e4-72e8983f0aa6"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_UserRightsAssignment",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c961dac9-5916-42e8-8fb1-703148323994"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_WindowsComponents",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9178b430-2295-406e-bb28-f6a7a2a2f897"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_WindowsFirewallProperties",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8bbd627e-4d25-4906-9a6e-3789780af3ec"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings (/providers/microsoft.authorization/policysetdefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AdministratorsGroupMembersToExclude",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bde62c94-ccca-4821-a815-92c1d31a76de"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs in which the Administrators group contains any of the specified members (/providers/microsoft.authorization/policysetdefinitions/add1999e-a61c-46d3-b8c3-f35fb8398175) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AdministratorsGroupMembersToInclude",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f3b44e5d-1456-475f-9c67-c66c4618e85a"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs in which the Administrators group does not contain all of the specified members (/providers/microsoft.authorization/policysetdefinitions/133046de-0bd7-4546-93f4-f452e9e258b7) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified members",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AdministratorsGroupMembers",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "cc7cda28-f867-4311-8497-a526129a8d19"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs in which the Administrators group does not contain only the specified members (/providers/microsoft.authorization/policysetdefinitions/06122b01-688c-42a8-af2e-fa97dd39aa3b) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliant",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsDscConfiguration",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7227ebe5-9ff7-47ab-b823-171cd02fb90f"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs on which the DSC configuration is not compliant (/providers/microsoft.authorization/policysetdefinitions/c58599d5-0d51-454f-aaf1-da18a5e76edd) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsLogAnalyticsAgentConnection",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a030a57e-4639-4e8f-ade9-a92f33afe7ee"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs on which the Log Analytics agent is not connected as expected (/providers/microsoft.authorization/policysetdefinitions/06c5e415-a662-463a-bb85-ede14286b979) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsRemoteConnection",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "02a84be7-c304-421f-9bb7-5d2c26af54ad"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs on which the remote host connection status does not match the specified one (/providers/microsoft.authorization/policysetdefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs on which the specified services are not installed and 'Running'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsServiceStatus",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs on which the specified services are not installed and 'Running' (/providers/microsoft.authorization/policysetdefinitions/8eeec860-e2fa-4f89-a669-84942c57225f) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsDefenderExploitGuard",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled (/providers/microsoft.authorization/policysetdefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "EnforcePasswordHistory",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "cdbf72d9-ac9c-4026-8a3a-491a5ac59293"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs that are not joined to the specified domain",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsDomainMembership",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a29ee95c-0395-4515-9851-cc04ffe82a91"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that are not joined to the specified domain (/providers/microsoft.authorization/policysetdefinitions/6b3c1e80-8ae5-405b-b021-c23d13b3959f) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs that are not set to the specified time zone",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsTimeZone",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9f658460-46b7-43af-8565-94fc0662be38"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that are not set to the specified time zone (/providers/microsoft.authorization/policysetdefinitions/538942d3-3fae-4fb6-9d94-744f9a51e7da) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "CertificateExpiration",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9328f27e-611e-44a7-a244-39109d7d35ab"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that contain certificates expiring within the specified number of days (/providers/microsoft.authorization/policysetdefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsCertificateInTrustedRoot",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f3b9ad83-000d-4dc1-bff0-6d54533dd03f"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not contain the specified certificates in Trusted Root (/providers/microsoft.authorization/policysetdefinitions/cdfcc6ff-945e-4bc6-857e-056cbc511e0c) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "MaximumPasswordAge",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "24dde96d-f0b1-425e-884f-4a1421e2dcdc"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "MinimumPasswordAge",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5aa11bbc-5c76-4302-80e5-aba46a4282e7"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "PasswordMustMeetComplexityRequirements",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f48b2913-1dc5-4834-8c72-ccc1dfd819bb"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs that do not have the specified applications installed",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WhitelistedApplication",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5e393799-e3ca-4e43-a9a5-0ec4648a57d9"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not have the specified applications installed (/providers/microsoft.authorization/policysetdefinitions/25ef9b72-4af2-4501-acd1-fc814e73dde1) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsPowerShellExecutionPolicy",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f8036bd0-c10b-4931-86bb-94a878add855"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not have the specified Windows PowerShell execution policy (/providers/microsoft.authorization/policysetdefinitions/f000289c-47af-4043-87da-91ba9e1a2720) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsPowerShellModules",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "16f9b37c-4408-4c30-bc17-254958f2e2d6"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that do not have the specified Windows PowerShell modules installed (/providers/microsoft.authorization/policysetdefinitions/c980fd64-c67f-49a6-a8a8-e57661150802) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "MinimumPasswordLength",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5aebc8d1-020d-4037-89a0-02043a7524ec"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "StorePasswordsUsingReversibleEncryption",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2d60d3b7-aa10-454c-88a8-de39d99d17c6"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit VMs with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of days",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "MachineLastBootUpTime",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7e84ba44-6d03-46fd-950e-5efa5a1112fa"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that have not restarted within the specified number of days (/providers/microsoft.authorization/policysetdefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs that have the specified applications installed",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "NotInstalledApplication",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7e56b49b-5990-4159-a734-511ea19b731c"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs that have the specified applications installed (/providers/microsoft.authorization/policysetdefinitions/d7fff7ea-9d47-4952-b854-b7da261e48f2) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows VMs with a pending reboot",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsPendingReboot",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8b0de57a-f511-4d45-a277-17cb79cb163b"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows VMs with a pending reboot (/providers/microsoft.authorization/policysetdefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Show audit results from Windows web servers that are not using secure communication protocols",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AuditSecureProtocol",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "60ffe3e2-4604-4460-8f22-0f1da058266c"
}
BuiltIn Guest Configuration True False n/a n/a n/a false 0 n/a true 1 [Deprecated]: Audit Windows web servers that are not using secure communication protocols (/providers/microsoft.authorization/policysetdefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c) n/a
{
  "properties": {
    "displayName": "[Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations.",
    "metadata": {
      "version": "3.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "71992a2a-d168-42e0-b10e-6b45fa2ecddb",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "760a85ff-6162-42b3-8d70-698e268f648c"
}
BuiltIn Security Center True False n/a n/a Disabled false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Mandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Network",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      },
      "modeRequirement": {
        "type": "String",
        "metadata": {
          "displayName": "Mode Requirement",
          "description": "Mode required for all WAF policies"
        },
        "allowedValues": [
          "Prevention",
          "Detection"
        ],
        "defaultValue": "Detection"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies"
              },
              {
                "field": "Microsoft.Network/frontdoorWebApplicationFirewallPolicies/policySettings.mode",
                "notEquals": "[parameters('modeRequirement')]"
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies"
              },
              {
                "field": "Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/policySettings.mode",
                "notEquals": "[parameters('modeRequirement')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f6b68e5a-7207-4638-a1fb-47d90404209e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f6b68e5a-7207-4638-a1fb-47d90404209e"
}
BuiltIn Network True False n/a n/a Deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Network",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Network/frontdoors"
              },
              {
                "field": "Microsoft.Network/frontdoors/frontendEndpoints[*].webApplicationFirewallPolicyLink.id",
                "exists": "false"
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Network/applicationGateways"
              },
              {
                "field": "Microsoft.Network/applicationGateways/webApplicationFirewallConfiguration",
                "exists": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/be7ed5c8-2660-4136-8216-e6f3412ba909",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "be7ed5c8-2660-4136-8216-e6f3412ba909"
}
BuiltIn Network True False n/a n/a Deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Web Application should only be accessible over HTTPS",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "microsoft.Web/sites"
          },
          {
            "anyof": [
              {
                "field": "kind",
                "equals": "app"
              },
              {
                "field": "kind",
                "equals": "WebApp"
              },
              {
                "field": "kind",
                "equals": "app,linux"
              },
              {
                "field": "kind",
                "equals": "app,linux,container"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "OnlyHttpsForWebApplication",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2fde8a98-6892-426a-83ba-050e640c0ce0"
}
BuiltIn Security Center True False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/complianceResults",
          "name": "unprotectedWebApplication",
          "existenceCondition": {
            "field": "Microsoft.Security/complianceResults/resourceStatus",
            "in": [
              "OffByPolicy",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "201ea587-7c90-41c3-910f-c280ae01cfd6"
}
BuiltIn Security Center True False n/a n/a Disabled false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: All Internet traffic should be routed via your deployed Azure Firewall",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall",
    "metadata": {
      "version": "3.0.0-preview",
      "category": "Network",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable All Internet traffic should be routed via your deployed Azure Firewall"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/virtualNetworks"
          },
          {
            "count": {
              "field": "Microsoft.Network/virtualNetworks/subnets[*]",
              "where": {
                "allOf": [
                  {
                    "count": {
                      "field": "Microsoft.Network/virtualNetworks/subnets[*].ipConfigurations[*]",
                      "where": {
                        "value": "[empty(field('Microsoft.Network/virtualNetworks/subnets[*].ipConfigurations[*].id'))]",
                        "equals": false
                      }
                    },
                    "greaterOrEquals": 2
                  },
                  {
                    "field": "Microsoft.Network/virtualNetworks/subnets[*].routeTable",
                    "exists": false
                  },
                  {
                    "not": {
                      "anyOf": [
                        {
                          "field": "Microsoft.Network/virtualNetworks/subnets[*].name",
                          "equals": "AzureBastionSubnet"
                        },
                        {
                          "field": "Microsoft.Network/virtualNetworks/subnets[*].name",
                          "equals": "GatewaySubnet"
                        }
                      ]
                    }
                  }
                ]
              }
            },
            "greater": 0
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/azureFirewalls",
          "existenceCondition": {
            "count": {
              "field": "Microsoft.Network/azureFirewalls/ipConfigurations[*]",
              "where": {
                "field": "Microsoft.Network/azureFirewalls/ipConfigurations[*].subnet.id",
                "like": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/*/providers/Microsoft.Network/virtualNetworks/', first(split(field('fullName'), '/')), '/subnets/AzureFirewallSubnet')]"
              }
            },
            "equals": 1
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "fc5e4038-4584-4632-8c85-c0448d374b2c"
}
BuiltIn Network False True n/a n/a AuditIfNotExists false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "App Platform",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.AppPlatform/Spring"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.AppPlatform/Spring/trace.enabled",
                "notEquals": "true"
              },
              {
                "field": "Microsoft.AppPlatform/Spring/trace.state",
                "notEquals": "Succeeded"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0f2d8593-4667-4932-acca-6a9f187af109",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0f2d8593-4667-4932-acca-6a9f187af109"
}
BuiltIn App Platform False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc.",
    "metadata": {
      "version": "2.0.0-preview",
      "category": "Kubernetes",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Kubernetes/connectedClusters"
          },
          {
            "field": "Microsoft.Kubernetes/connectedClusters/distribution",
            "in": [
              "generic",
              "openshift",
              "rancher_rke",
              "tkg"
            ]
          },
          {
            "field": "Microsoft.Kubernetes/connectedClusters/connectivityStatus",
            "equals": "connected"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.KubernetesConfiguration/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.KubernetesConfiguration/extensions/extensionType",
                "equals": "microsoft.azuredefender.kubernetes"
              },
              {
                "field": "Microsoft.KubernetesConfiguration/extensions/installState",
                "equals": "Installed"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8dfab9c4-fe7b-49ad-85e4-1e9be085358f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8dfab9c4-fe7b-49ad-85e4-1e9be085358f"
}
BuiltIn Kubernetes False True n/a n/a AuditIfNotExists false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Azure Data Factory integration runtime should have a limit for number of cores",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "To manage your resources and costs, limit the number of cores for an integration runtime.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Data Factory",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "maxCores": {
        "type": "Integer",
        "metadata": {
          "displayName": "Allowed max number of cores",
          "description": "The max number of cores allowed for dataflow."
        },
        "defaultValue": 32
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DataFactory/factories/integrationRuntimes"
          },
          {
            "field": "Microsoft.DataFactory/factories/integrationruntimes/type",
            "equals": "Managed"
          },
          {
            "field": "Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.computeProperties.dataFlowProperties.coreCount",
            "exists": "true"
          },
          {
            "field": "Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.computeProperties.dataFlowProperties.coreCount",
            "greater": "[parameters('maxCores')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/85bb39b5-2f66-49f8-9306-77da3ac5130f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "85bb39b5-2f66-49f8-9306-77da3ac5130f"
}
BuiltIn Data Factory False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Azure Data Factory linked service resource type should be in allow list",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Data Factory",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "allowedLinkedServiceResourceTypes": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed linked service resource types",
          "description": "The list of allowed linked service resource types."
        },
        "allowedValues": [
          "AdlsGen2CosmosStructuredStream",
          "AdobeExperiencePlatform",
          "AdobeIntegration",
          "AmazonRedshift",
          "AmazonS3",
          "AzureBlobFS",
          "AzureBlobStorage",
          "AzureDataExplorer",
          "AzureDataLakeStore",
          "AzureDataLakeStoreCosmosStructuredStream",
          "AzureDataShare",
          "AzureFileStorage",
          "AzureKeyVault",
          "AzureMariaDB",
          "AzureMySql",
          "AzurePostgreSql",
          "AzureSearch",
          "AzureSqlDatabase",
          "AzureSqlDW",
          "AzureSqlMI",
          "AzureTableStorage",
          "Cassandra",
          "CommonDataServiceForApps",
          "CosmosDb",
          "CosmosDbMongoDbApi",
          "Db2",
          "DynamicsCrm",
          "FileServer",
          "FtpServer",
          "GitHub",
          "GoogleCloudStorage",
          "Hdfs",
          "Hive",
          "HttpServer",
          "Informix",
          "Kusto",
          "MicrosoftAccess",
          "MySql",
          "Netezza",
          "Odata",
          "Odbc",
          "Office365",
          "Oracle",
          "PostgreSql",
          "Salesforce",
          "SalesforceServiceCloud",
          "SapBw",
          "SapHana",
          "SapOpenHub",
          "SapTable",
          "Sftp",
          "SharePointOnlineList",
          "Snowflake",
          "SqlServer",
          "Sybase",
          "Teradata",
          "HDInsightOnDemand",
          "HDInsight",
          "AzureDataLakeAnalytics",
          "AzureBatch",
          "AzureFunction",
          "AzureML",
          "AzureMLService",
          "MongoDb",
          "GoogleBigQuery",
          "Impala",
          "ServiceNow",
          "Dynamics",
          "AzureDatabricks",
          "AmazonMWS",
          "SapCloudForCustomer",
          "SapEcc",
          "Web",
          "MongoDbAtlas",
          "HBase",
          "Spark",
          "Phoenix",
          "PayPal",
          "Marketo",
          "Responsys",
          "SalesforceMarketingCloud",
          "Presto",
          "Square",
          "Xero",
          "Jira",
          "Magento",
          "Shopify",
          "Concur",
          "Hubspot",
          "Zoho",
          "Eloqua",
          "QuickBooks",
          "Couchbase",
          "Drill",
          "Greenplum",
          "MariaDB",
          "Vertica",
          "MongoDbV2",
          "OracleServiceCloud",
          "GoogleAdWords",
          "RestService",
          "DynamicsAX",
          "AzureDataCatalog",
          "AzureDatabricksDeltaLake"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DataFactory/factories/linkedservices"
          },
          {
            "field": "Microsoft.DataFactory/factories/linkedservices/type",
            "notIn": "[parameters('allowedLinkedServiceResourceTypes')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6809a3d0-d354-42fb-b955-783d207c62a8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6809a3d0-d354-42fb-b955-783d207c62a8"
}
BuiltIn Data Factory False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Azure Data Factory linked services should use Key Vault for storing secrets",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Data Factory",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DataFactory/factories/linkedservices"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString",
                    "exists": "true"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString",
                        "contains": "AccountKey="
                      },
                      {
                        "field": "Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString",
                        "contains": "PWD="
                      },
                      {
                        "field": "Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString",
                        "contains": "Password="
                      },
                      {
                        "field": "Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString",
                        "contains": "CredString="
                      },
                      {
                        "field": "Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString",
                        "contains": "pwd="
                      }
                    ]
                  }
                ]
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/SqlServer.typeProperties.password.type",
                "equals": "SecureString"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.DataFactory/factories/linkedservices/SqlServer.typeProperties.password",
                    "exists": "true"
                  },
                  {
                    "field": "Microsoft.DataFactory/factories/linkedservices/SqlServer.typeProperties.password.type",
                    "exists": "false"
                  }
                ]
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/AzureSqlDW.typeProperties.servicePrincipalKey.type",
                "equals": "SecureString"
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/AzureSearch.typeProperties.key.type",
                "equals": "SecureString"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri",
                    "exists": "true"
                  },
                  {
                    "field": "Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri.type",
                    "notEquals": "AzureKeyVaultSecret"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.DataFactory/factories/linkedservices/AzureBlobStorage.typeProperties.servicePrincipalKey",
                    "exists": "true"
                  },
                  {
                    "field": "Microsoft.DataFactory/factories/linkedservices/AzureBlobStorage.typeProperties.servicePrincipalKey.type",
                    "notEquals": "AzureKeyVaultSecret"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.accountKey",
                    "exists": "true"
                  },
                  {
                    "field": "Microsoft.DataFactory/factories/linkedservices/CosmosDb.typeProperties.accountKey.type",
                    "notEquals": "AzureKeyVaultSecret"
                  }
                ]
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/typeProperties.encryptedCredential",
                "exists": "true"
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/AmazonMWS.typeProperties.mwsAuthToken.type",
                "equals": "SecureString"
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/AmazonMWS.typeProperties.secretKey.type",
                "equals": "SecureString"
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/AmazonS3.typeProperties.secretAccessKey.type",
                "equals": "SecureString"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.DataFactory/factories/linkedservices/Dynamics.typeProperties.servicePrincipalCredential",
                    "exists": "true"
                  },
                  {
                    "field": "Microsoft.DataFactory/factories/linkedservices/Dynamics.typeProperties.servicePrincipalCredential.type",
                    "equals": "SecureString"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken",
                    "exists": "true"
                  },
                  {
                    "field": "Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken.type",
                    "equals": "SecureString"
                  }
                ]
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/Odbc.typeProperties.credential.type",
                "equals": "SecureString"
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/GoogleAdWords.typeProperties.developerToken.type",
                "equals": "SecureString"
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/GoogleBigQuery.typeProperties.clientSecret.type",
                "equals": "SecureString"
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/GoogleBigQuery.typeProperties.refreshToken.type",
                "equals": "SecureString"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.DataFactory/factories/linkedservices/type",
                    "in": [
                      "MongoDbAtlas",
                      "MongoDbV2"
                    ]
                  },
                  {
                    "field": "Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString.type",
                    "notEquals": "AzureKeyVaultSecret"
                  }
                ]
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/OData.typeProperties.servicePrincipalEmbeddedCert.type",
                "equals": "SecureString"
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/OData.typeProperties.servicePrincipalEmbeddedCertPassword.type",
                "equals": "SecureString"
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/Sftp.typeProperties.privateKeyContent.type",
                "equals": "SecureString"
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/Sftp.typeProperties.passPhrase.type",
                "equals": "SecureString"
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/Salesforce.typeProperties.securityToken.type",
                "equals": "SecureString"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "127ef6d7-242f-43b3-9eef-947faf1725d0"
}
BuiltIn Data Factory False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Data Factory",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DataFactory/factories/linkedservices"
          },
          {
            "field": "Microsoft.DataFactory/factories/linkedservices/type",
            "in": [
              "AzureSqlDatabase",
              "AzureSqlMI",
              "AzureSqlDW",
              "AzureBlobFS",
              "AdlsGen2CosmosStructuredStream",
              "AzureDataLakeStore",
              "AzureDataLakeStoreCosmosStructuredStream",
              "AzureBlobStorage",
              "AzureDatabricks"
            ]
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString",
                "contains": "User ID="
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString",
                "contains": "AccountKey="
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/AzureSqlDW.typeProperties.servicePrincipalKey",
                "exists": "true"
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.accountKey",
                "exists": "true"
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri",
                "exists": "true"
              },
              {
                "field": "Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken",
                "exists": "true"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f78ccdb4-7bf4-4106-8647-270491d2978a"
}
BuiltIn Data Factory False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Azure Data Factory should use a Git repository for source control",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable source control on data factories, to gain capabilities such as change tracking, collaboration, continuous integration, and deployment.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Data Factory",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DataFactory/factories"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.DataFactory/factories/repoConfiguration.repositoryName",
                "exists": "false"
              },
              {
                "field": "Microsoft.DataFactory/factories/repoConfiguration.repositoryName",
                "equals": ""
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "77d40665-3120-4348-b539-3192ec808307"
}
BuiltIn Data Factory False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Azure Defender for DNS should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Security Center",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "Dns",
          "existenceScope": "subscription",
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bdc59948-5574-49b3-bb91-76b7c986428d"
}
BuiltIn Security Center False True n/a n/a AuditIfNotExists false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Azure IoT Hub should use customer-managed key to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Encryption of data at rest in IoT Hub with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Customer-managed keys must be configured during creation of IoT Hub. For more information on how to configure customer-managed keys, see https://aka.ms/iotcmk.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Internet of Things",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The desired effect of the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Devices/IotHubs"
          },
          {
            "count": {
              "field": "Microsoft.Devices/IotHubs/encryption.keyVaultProperties[*]",
              "where": {
                "allOf": [
                  {
                    "field": "Microsoft.Devices/IotHubs/encryption.keyVaultProperties[*].keyIdentifier",
                    "exists": "true"
                  },
                  {
                    "field": "Microsoft.Devices/IotHubs/encryption.keyVaultProperties[*].keyIdentifier",
                    "notequals": ""
                  }
                ]
              }
            },
            "lessOrEquals": 0
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2d7e144b-159c-44fc-95c1-ac3dbf5e6e54",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2d7e144b-159c-44fc-95c1-ac3dbf5e6e54"
}
BuiltIn Internet of Things False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Azure Key Vault should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.",
    "metadata": {
      "version": "2.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "not": {
              "field": "Microsoft.KeyVault/vaults/createMode",
              "equals": "recover"
            }
          },
          {
            "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
            "notEquals": "Deny"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "55615ac9-af46-4a59-874e-391cc3dfb490"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Azure Key Vaults should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "count": {
              "field": "Microsoft.KeyVault/vaults/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.KeyVault/vaults/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a6abeaec-4d90-4a02-805f-6b26c4d3fbe9"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption.",
    "metadata": {
      "version": "1.0.0-preview",
      "preview": true,
      "category": "Backup"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "enableDoubleEncryption": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Double encryption should be enabled on Recovery Services vaults for Backup",
          "description": "Check if double encryption is enabled on Recovery Services vaults for Backup.  For more details refer to https://aka.ms/AB-InfraEncryption."
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": false
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.RecoveryServices/vaults"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.RecoveryServices/vaults/encryption.keyVaultProperties.keyUri",
                "exists": "false"
              },
              {
                "allOf": [
                  {
                    "value": "[parameters('enableDoubleEncryption')]",
                    "equals": true
                  },
                  {
                    "field": "Microsoft.RecoveryServices/vaults/encryption.infrastructureEncryption",
                    "notEquals": "Enabled"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2e94d99a-8a36-4563-bc77-810d8893b671"
}
BuiltIn Backup False True n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Azure Recovery Services vaults should use private link for backup",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints.",
    "metadata": {
      "version": "2.0.0-preview",
      "preview": true,
      "category": "Backup"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.RecoveryServices/vaults"
          },
          {
            "count": {
              "field": "Microsoft.RecoveryServices/vaults/privateEndpointConnections[*]",
              "where": {
                "allOf": [
                  {
                    "field": "Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                    "equals": "Approved"
                  },
                  {
                    "field": "Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].provisioningState",
                    "equals": "Succeeded"
                  },
                  {
                    "field": "Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].id",
                    "contains": ".backup"
                  }
                ]
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/deeddb44-9f94-4903-9fa0-081d524406e3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "deeddb44-9f94-4903-9fa0-081d524406e3"
}
BuiltIn Backup False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Certificates should be issued by the specified integrated certificate authority",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign.",
    "metadata": {
      "version": "2.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "allowedCAs": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed Azure Key Vault Supported CAs",
          "description": "The list of allowed certificate authorities supported by Azure Key Vault."
        },
        "allowedValues": [
          "DigiCert",
          "GlobalSign"
        ],
        "defaultValue": [
          "DigiCert",
          "GlobalSign"
        ]
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/certificates"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/certificates/issuer.name",
            "notIn": "[parameters('allowedCAs')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8e826246-c976-48f6-b03e-619bb92b3d82"
}
BuiltIn Key Vault False True n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Certificates should be issued by the specified non-integrated certificate authority",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Manage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault.",
    "metadata": {
      "version": "2.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "caCommonName": {
        "type": "String",
        "metadata": {
          "displayName": "The common name of the certificate authority",
          "description": "The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/certificates"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName",
            "notContains": "[parameters('caCommonName')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a22f4a40-01d3-4c7d-8071-da157eeff341"
}
BuiltIn Key Vault False True n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Certificates should have the specified lifetime action triggers",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration.",
    "metadata": {
      "version": "2.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "maximumPercentageLife": {
        "type": "Integer",
        "metadata": {
          "displayName": "The maximum lifetime percentage",
          "description": "Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'."
        }
      },
      "minimumDaysBeforeExpiry": {
        "type": "Integer",
        "metadata": {
          "displayName": "The minimum days before expiry",
          "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/certificates"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry",
                    "exists": true
                  },
                  {
                    "field": "Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry",
                    "less": "[parameters('minimumDaysBeforeExpiry')]"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage",
                    "exists": true
                  },
                  {
                    "field": "Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage",
                    "greater": "[parameters('maximumPercentageLife')]"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "12ef42cb-9903-4e39-9c26-422d29570417"
}
BuiltIn Key Vault False True n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Certificates should have the specified maximum validity period",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault.",
    "metadata": {
      "version": "2.1.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "maximumValidityInMonths": {
        "type": "Integer",
        "metadata": {
          "displayName": "The maximum validity in months",
          "description": "The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren't best practice."
        },
        "defaultValue": 12
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/certificates"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths",
            "greater": "[parameters('maximumValidityInMonths')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0a075868-4c26-42ef-914c-5bc007359560"
}
BuiltIn Key Vault False True n/a n/a audit false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Certificates should not expire within the specified number of days",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration.",
    "metadata": {
      "version": "2.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "daysToExpire": {
        "type": "Integer",
        "metadata": {
          "displayName": "Days to expire",
          "description": "The number of days for a certificate to expire."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/certificates"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn",
            "lessOrEquals": "[addDays(utcNow(), parameters('daysToExpire'))]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f772fb64-8e40-40ad-87bc-7706e1949427"
}
BuiltIn Key Vault False True n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Certificates should use allowed key types",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Manage your organizational compliance requirements by restricting the key types allowed for certificates.",
    "metadata": {
      "version": "2.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "allowedKeyTypes": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed key types",
          "description": "The list of allowed certificate key types."
        },
        "allowedValues": [
          "RSA",
          "RSA-HSM",
          "EC",
          "EC-HSM"
        ],
        "defaultValue": [
          "RSA",
          "RSA-HSM"
        ]
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/certificates"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType",
            "notIn": "[parameters('allowedKeyTypes')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1151cede-290b-4ba0-8b38-0ad145ac888f"
}
BuiltIn Key Vault False True n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Certificates using elliptic curve cryptography should have allowed curve names",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy.",
    "metadata": {
      "version": "2.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "allowedECNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed elliptic curve names",
          "description": "The list of allowed curve names for elliptic curve cryptography certificates."
        },
        "allowedValues": [
          "P-256",
          "P-256K",
          "P-384",
          "P-521"
        ],
        "defaultValue": [
          "P-256",
          "P-256K",
          "P-384",
          "P-521"
        ]
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/certificates"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType",
            "in": [
              "EC",
              "EC-HSM"
            ]
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName",
            "notIn": "[parameters('allowedECNames')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bd78111f-4953-4367-9fd5-7e08808b54bf"
}
BuiltIn Key Vault False True n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Certificates using RSA cryptography should have the specified minimum key size",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault.",
    "metadata": {
      "version": "2.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "minimumRSAKeySize": {
        "type": "Integer",
        "metadata": {
          "displayName": "Minimum RSA key size",
          "description": "The minimum key size for RSA certificates."
        },
        "allowedValues": [
          2048,
          3072,
          4096
        ]
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/certificates"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType",
            "in": [
              "RSA",
              "RSA-HSM"
            ]
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize",
            "less": "[parameters('minimumRSAKeySize')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "cee51871-e572-4576-855c-047c820360f0"
}
BuiltIn Key Vault False True n/a n/a audit false 0 n/a true 1 [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "[Preview]: Configure allowed module authors for specified Azure Machine Learning computes",
    "policyType": "BuiltIn",
    "mode": "Microsoft.MachineLearningServices.Data",
    "description": "Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.",
    "metadata": {
      "version": "3.0.0-preview",
      "category": "Machine Learning",
      "preview": true
    },
    "parameters": {
      "computeNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Compute names where Azure ML jobs run",
          "description": "List of compute names where this policy should be applied. Ex. cpu-cluster;gpu-cluster. If no value is provided to this parameter then policy is applicable to all computes."
        },
        "defaultValue": []
      },
      "computeType": {
        "type": "String",
        "metadata": {
          "displayName": "Compute type for the compute where Azure ML jobs run",
          "description": "Compute type name. If Any is selected, the policy is applicable to any compute types."
        },
        "allowedValues": [
          "MachineLearningCompute",
          "AzureDataFactory",
          "HDInsight",
          "Any"
        ],
        "defaultValue": "Any"
      },
      "isIsolatedNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Is the compute in isolated network",
          "description": "Only applicable for MachineLearningCompute type. \"Yes: apply the policy to computes in isolated network\". \"No: apply the policy to computes that are out of isolated network\". \"Any: apply the policy regardless of if the compute is in isolated network or not\". If compute type is not MachineLearningCompute, the value set for this parameter will be ignored."
        },
        "allowedValues": [
          "Yes",
          "No",
          "Any"
        ],
        "defaultValue": "Any"
      },
      "allowedModuleAuthors": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed module authors",
          "description": "List of allowed module authors."
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "enforceSetting",
          "disabled"
        ],
        "defaultValue": "enforceSetting"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "anyOf": [
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeName",
                "in": "[parameters('computeNames')]"
              },
              {
                "value": "[length(parameters('computeNames'))]",
                "equals": 0
              }
            ]
          },
          {
            "anyOf": [
              {
                "value": "[parameters('computeType')]",
                "equals": "Any"
              },
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                "equals": "[parameters('computeType')]"
              }
            ]
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                    "equals": "MachineLearningCompute"
                  },
                  {
                    "anyOf": [
                      {
                        "value": "[parameters('isIsolatedNetwork')]",
                        "equals": "Any"
                      },
                      {
                        "field": "Microsoft.MachineLearningServices.Data/workspaces/isIsolatedNetwork",
                        "equals": "[parameters('isIsolatedNetwork')]"
                      }
                    ]
                  }
                ]
              },
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                "notEquals": "MachineLearningCompute"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "setting": {
            "name": "allowedModuleAuthors",
            "value": "[parameters('allowedModuleAuthors')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "53c70b02-63dd-11ea-bc55-0242ac130003"
}
BuiltIn Machine Learning False True n/a n/a enforceSetting false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Configure allowed Python packages for specified Azure Machine Learning computes",
    "policyType": "BuiltIn",
    "mode": "Microsoft.MachineLearningServices.Data",
    "description": "Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.",
    "metadata": {
      "version": "3.0.0-preview",
      "category": "Machine Learning",
      "preview": true
    },
    "parameters": {
      "computeNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Compute names where Azure ML jobs run",
          "description": "List of compute names where this policy should be applied. Ex. cpu-cluster;gpu-cluster. If no value is provided to this parameter then policy is applicable to all computes."
        },
        "defaultValue": []
      },
      "computeType": {
        "type": "String",
        "metadata": {
          "displayName": "Compute type for the compute where Azure ML jobs run",
          "description": "Compute type name. If Any is selected, the policy is applicable to any compute types."
        },
        "allowedValues": [
          "MachineLearningCompute",
          "Any"
        ],
        "defaultValue": "Any"
      },
      "isIsolatedNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Is the compute in isolated network",
          "description": "Only applicable for MachineLearningCompute type. \"Yes: apply the policy to computes in isolated network\". \"No: apply the policy to computes that are out of isolated network\". \"Any: apply the policy regardless of if the compute is in isolated network or not\"."
        },
        "allowedValues": [
          "Yes",
          "No",
          "Any"
        ],
        "defaultValue": "Any"
      },
      "allowedPythonPackageChannels": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed Python package indexes",
          "description": "List of allowed Python package indexes. Ex. http://somepythonindex.org "
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "enforceSetting",
          "disabled"
        ],
        "defaultValue": "enforceSetting"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "anyOf": [
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeName",
                "in": "[parameters('computeNames')]"
              },
              {
                "value": "[length(parameters('computeNames'))]",
                "equals": 0
              }
            ]
          },
          {
            "anyOf": [
              {
                "value": "[parameters('computeType')]",
                "equals": "Any"
              },
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                "equals": "[parameters('computeType')]"
              }
            ]
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                    "equals": "MachineLearningCompute"
                  },
                  {
                    "anyOf": [
                      {
                        "value": "[parameters('isIsolatedNetwork')]",
                        "equals": "Any"
                      },
                      {
                        "field": "Microsoft.MachineLearningServices.Data/workspaces/isIsolatedNetwork",
                        "equals": "[parameters('isIsolatedNetwork')]"
                      }
                    ]
                  }
                ]
              },
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                "notEquals": "MachineLearningCompute"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "setting": {
            "name": "allowedPythonPackageChannels",
            "value": "[parameters('allowedPythonPackageChannels')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "77eeea86-7e81-4a7d-9067-de844d096752"
}
BuiltIn Machine Learning False True n/a n/a enforceSetting false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Configure allowed registries for specified Azure Machine Learning computes",
    "policyType": "BuiltIn",
    "mode": "Microsoft.MachineLearningServices.Data",
    "description": "Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.",
    "metadata": {
      "version": "3.0.0-preview",
      "category": "Machine Learning",
      "preview": true
    },
    "parameters": {
      "computeNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Compute names where Azure ML jobs run",
          "description": "List of compute names where this policy should be applied. Ex. cpu-cluster;gpu-cluster. If no value is provided to this parameter then policy is applicable to all computes."
        },
        "defaultValue": []
      },
      "computeType": {
        "type": "String",
        "metadata": {
          "displayName": "Compute type for the compute where Azure ML jobs run",
          "description": "Compute type name. If Any is selected, the policy is applicable to any compute types."
        },
        "allowedValues": [
          "MachineLearningCompute",
          "Any"
        ],
        "defaultValue": "Any"
      },
      "isIsolatedNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Is the compute in isolated network",
          "description": "Only applicable for MachineLearningCompute type. \"Yes: apply the policy to computes in isolated network\". \"No: apply the policy to computes that are out of isolated network\". \"Any: apply the policy regardless of if the compute is in isolated network or not\"."
        },
        "allowedValues": [
          "Yes",
          "No",
          "Any"
        ],
        "defaultValue": "Any"
      },
      "allowedACRs": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Container Registries",
          "description": "List of Azure Container Registries that can be used with Azure ML. Ex. amlrepo.azurecr.io;amlrepo.azurecr.io/foo"
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "enforceSetting",
          "disabled"
        ],
        "defaultValue": "enforceSetting"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "anyOf": [
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeName",
                "in": "[parameters('computeNames')]"
              },
              {
                "value": "[length(parameters('computeNames'))]",
                "equals": 0
              }
            ]
          },
          {
            "anyOf": [
              {
                "value": "[parameters('computeType')]",
                "equals": "Any"
              },
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                "equals": "[parameters('computeType')]"
              }
            ]
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                    "equals": "MachineLearningCompute"
                  },
                  {
                    "anyOf": [
                      {
                        "value": "[parameters('isIsolatedNetwork')]",
                        "equals": "Any"
                      },
                      {
                        "field": "Microsoft.MachineLearningServices.Data/workspaces/isIsolatedNetwork",
                        "equals": "[parameters('isIsolatedNetwork')]"
                      }
                    ]
                  }
                ]
              },
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                "notEquals": "MachineLearningCompute"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "setting": {
            "name": "allowedACRs",
            "value": "[parameters('allowedACRs')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5853517a-63de-11ea-bc55-0242ac130003"
}
BuiltIn Machine Learning False True n/a n/a enforceSetting false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes",
    "policyType": "BuiltIn",
    "mode": "Microsoft.MachineLearningServices.Data",
    "description": "Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc.",
    "metadata": {
      "version": "3.0.0-preview",
      "category": "Machine Learning",
      "preview": true
    },
    "parameters": {
      "computeNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Compute names where Azure ML jobs run",
          "description": "List of compute names where this policy should be applied. Ex. cpu-cluster;gpu-cluster. If no value is provided to this parameter then policy is applicable to all computes."
        },
        "defaultValue": []
      },
      "computeType": {
        "type": "String",
        "metadata": {
          "displayName": "Compute type for the compute where Azure ML jobs run",
          "description": "Compute type name. If Any is selected, the policy is applicable to any compute types."
        },
        "allowedValues": [
          "MachineLearningCompute",
          "AzureDataFactory",
          "HDInsight",
          "Any"
        ],
        "defaultValue": "Any"
      },
      "isIsolatedNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Is the compute in isolated network",
          "description": "Only applicable for MachineLearningCompute type. \"Yes: apply the policy to computes in isolated network\". \"No: apply the policy to computes that are out of isolated network\". \"Any: apply the policy regardless of if the compute is in isolated network or not\". If compute type is not MachineLearningCompute, the value set for this parameter will be ignored."
        },
        "allowedValues": [
          "Yes",
          "No",
          "Any"
        ],
        "defaultValue": "Any"
      },
      "approvalEndpoint": {
        "type": "String",
        "metadata": {
          "displayName": "Approval endpoint",
          "description": "Approval endpoint that needs to be called before an Azure ML job is run. Ex. http://amlrunapproval/approve"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "enforceSetting",
          "disabled"
        ],
        "defaultValue": "enforceSetting"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "anyOf": [
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeName",
                "in": "[parameters('computeNames')]"
              },
              {
                "value": "[length(parameters('computeNames'))]",
                "equals": 0
              }
            ]
          },
          {
            "anyOf": [
              {
                "value": "[parameters('computeType')]",
                "equals": "Any"
              },
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                "equals": "[parameters('computeType')]"
              }
            ]
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                    "equals": "MachineLearningCompute"
                  },
                  {
                    "anyOf": [
                      {
                        "value": "[parameters('isIsolatedNetwork')]",
                        "equals": "Any"
                      },
                      {
                        "field": "Microsoft.MachineLearningServices.Data/workspaces/isIsolatedNetwork",
                        "equals": "[parameters('isIsolatedNetwork')]"
                      }
                    ]
                  }
                ]
              },
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                "notEquals": "MachineLearningCompute"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "setting": {
            "name": "approvalEndpoint",
            "value": "[parameters('approvalEndpoint')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3948394e-63de-11ea-bc55-0242ac130003",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3948394e-63de-11ea-bc55-0242ac130003"
}
BuiltIn Machine Learning False True n/a n/a enforceSetting false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Azure Defender's extension",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Kubernetes",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Kubernetes/connectedClusters"
          },
          {
            "field": "Microsoft.Kubernetes/connectedClusters/distribution",
            "in": [
              "generic",
              "openshift",
              "rancher_rke",
              "tkg"
            ]
          },
          {
            "field": "Microsoft.Kubernetes/connectedClusters/connectivityStatus",
            "equals": "connected"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.KubernetesConfiguration/extensions",
          "deploymentScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.KubernetesConfiguration/extensions/extensionType",
                "equals": "microsoft.azuredefender.kubernetes"
              },
              {
                "field": "Microsoft.KubernetesConfiguration/extensions/installState",
                "equals": "Installed"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "clusterRegion": {
                  "value": "[field('location')]"
                },
                "clusterResourceId": {
                  "value": "[field('id')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "clusterRegion": {
                    "type": "string"
                  },
                  "clusterResourceId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "locationLongNameToShortMap": {
                    "australiacentral": "CAU",
                    "australiaeast": "EAU",
                    "australiasoutheast": "SEAU",
                    "brazilsouth": "CQ",
                    "canadacentral": "CCA",
                    "centralindia": "CIN",
                    "centralus": "CUS",
                    "eastasia": "EA",
                    "eastus": "EUS",
                    "eastus2": "EUS2",
                    "eastus2euap": "eus2p",
                    "germanywestcentral": "DEWC",
                    "francecentral": "PAR",
                    "japaneast": "EJP",
                    "koreacentral": "SE",
                    "northcentralus": "NCUS",
                    "northeurope": "NEU",
                    "norwayeast": "NOE",
                    "southafricanorth": "JNB",
                    "southcentralus": "SCUS",
                    "southeastasia": "SEA",
                    "swedencentral": "SEC",
                    "switzerlandnorth": "CHN",
                    "switzerlandwest": "CHW",
                    "uaenorth": "DXB",
                    "uksouth": "SUK",
                    "ukwest": "WUK",
                    "westcentralus": "WCUS",
                    "westeurope": "WEU",
                    "westus": "WUS",
                    "westus2": "WUS2",
                    "usgovvirginia": "USGV",
                    "usgovarizona": "USGA",
                    "usgovtexas": "USGT",
                    "chinaeast": "CNE",
                    "chinaeast2": "CNE2",
                    "chinawest": "CNW",
                    "chinawest2": "CNW2"
                  },
                  "locationCode": "[variables('locationLongNameToShortMap')[parameters('clusterRegion')]]",
                  "subscriptionId": "[subscription().subscriptionId]",
                  "defaultRGName": "[concat('DefaultResourceGroup-', variables('locationCode'))]",
                  "workspaceName": "[concat('DefaultWorkspace-', variables('subscriptionId'),'-', variables('locationCode'))]",
                  "deployDefaultAscResourceGroup": "[concat('deployDefaultAscResourceGroup-', uniqueString(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "name": "[variables('defaultRGName')]",
                    "apiVersion": "2019-05-01",
                    "location": "[parameters('clusterRegion')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('deployDefaultAscResourceGroup')]",
                    "apiVersion": "2020-06-01",
                    "resourceGroup": "[variables('defaultRGName')]",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "parameters": {
                        "clusterRegion": {
                          "value": "[parameters('clusterRegion')]"
                        },
                        "workspaceName": {
                          "value": "[variables('workspaceName')]"
                        }
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "clusterRegion": {
                            "type": "string"
                          },
                          "workspaceName": {
                            "type": "string"
                          }
                        },
                        "variables": {},
                        "resources": [
                          {
                            "type": "Microsoft.OperationalInsights/workspaces",
                            "name": "[parameters('workspaceName')]",
                            "apiVersion": "2015-11-01-preview",
                            "location": "[parameters('clusterRegion')]",
                            "properties": {
                              "sku": {
                                "name": "pernode"
                              },
                              "retentionInDays": 30,
                              "features": {
                                "searchVersion": 1
                              }
                            }
                          }
                        ]
                      }
                    },
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/resourceGroups', variables('defaultRGName'))]"
                    ]
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[Concat('arc-k8s-defender-extension', '-',  uniqueString(parameters('clusterResourceId')))]",
                    "apiVersion": "2020-10-01",
                    "subscriptionId": "[variables('subscriptionId')]",
                    "resourceGroup": "[split(parameters('clusterResourceId'),'/')[4]]",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "parameters": {
                        "workspaceResourceId": {
                          "value": "[concat('/subscriptions/', variables('subscriptionId'), '/resourcegroups/', variables('defaultRGName'), '/providers/Microsoft.OperationalInsights/workspaces/', variables('workspaceName'))]"
                        },
                        "clusterResourceId": {
                          "value": "[parameters('clusterResourceId')]"
                        },
                        "clusterRegion": {
                          "value": "[parameters('clusterRegion')]"
                        }
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "workspaceResourceId": {
                            "type": "string"
                          },
                          "clusterResourceId": {
                            "type": "string"
                          },
                          "clusterRegion": {
                            "type": "string"
                          }
                        },
                        "resources": [
                          {
                            "type": "Microsoft.KubernetesConfiguration/extensions",
                            "apiVersion": "2020-07-01-preview",
                            "name": "microsoft.azuredefender.kubernetes",
                            "location": "[parameters('clusterRegion')]",
                            "identity": {
                              "type": "systemassigned"
                            },
                            "properties": {
                              "extensionType": "microsoft.azuredefender.kubernetes",
                              "configurationSettings": {
                                "logAnalyticsWorkspaceResourceID": "[parameters('workspaceResourceId')]"
                              },
                              "configurationProtectedSettings": {
                                "omsagent.secret.wsid": "[reference(parameters('workspaceResourceId'), '2015-03-20').customerId]",
                                "omsagent.secret.key": "[listKeys(parameters('workspaceResourceId'), '2015-03-20').primarySharedKey]"
                              },
                              "autoUpgradeMinorVersion": true,
                              "releaseTrain": "Stable",
                              "scope": {
                                "Cluster": {
                                  "releaseNamespace": "azuredefender"
                                }
                              }
                            },
                            "scope": "[concat('Microsoft.Kubernetes/connectedClusters/', split(parameters('clusterResourceId'),'/')[8])]"
                          }
                        ]
                      }
                    },
                    "dependsOn": [
                      "[variables('deployDefaultAscResourceGroup')]"
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "708b60a6-d253-4fe0-9114-4be4c00f012c"
}
BuiltIn Kubernetes False True n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "[Preview]: Configure Azure Defender for SQL agent on virtual machine",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configure Windows machines to automatically install the Azure Defender for SQL agent where the Azure Monitor Agent is installed. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and Log Analytics workspace in the same region as the machine. Target virtual machines must be in a supported location.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "enableCollectionOfSqlQueriesForSecurityResearch": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Enable collection of SQL queries for security research",
          "description": "Enable or disable the collection of SQL queries for security research."
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": true
      },
      "azureDefenderForSqlExtensionTypeToInstall": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Defender For SQL extension type to install",
          "description": "The type of the Azure Defender For SQL extension needed to be installed."
        },
        "allowedValues": [
          "AdvancedThreatProtection.Windows",
          "VulnerabilityAssessment.Windows"
        ]
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines/extensions"
          },
          {
            "field": "location",
            "in": [
              "australiacentral",
              "australiaeast",
              "australiasoutheast",
              "brazilsouth",
              "canadacentral",
              "centralindia",
              "centralus",
              "eastasia",
              "eastus2euap",
              "eastus",
              "eastus2",
              "francecentral",
              "germanywestcentral",
              "japaneast",
              "koreacentral",
              "northcentralus",
              "northeurope",
              "norwayeast",
              "southcentralus",
              "southeastasia",
              "switzerlandnorth",
              "switzerlandwest",
              "southafricanorth",
              "swedencentral",
              "uaenorth",
              "uksouth",
              "ukwest",
              "westcentralus",
              "westeurope",
              "westus",
              "westus2"
            ]
          },
          {
            "field": "Microsoft.Compute/virtualMachines/extensions/type",
            "equals": "AzureMonitorWindowsAgent"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
            "equals": "Microsoft.Azure.Monitor"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "name": "[concat(first(split(field('fullName'), '/')), '/Microsoft.Azure.AzureDefenderForSQL.', parameters('azureDefenderForSqlExtensionTypeToInstall'))]",
          "deploymentScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "[parameters('azureDefenderForSqlExtensionTypeToInstall')]"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.AzureDefenderForSQL"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "in": [
                  "Succeeded",
                  "Provisioning succeeded"
                ]
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "location": "eastus",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "resourceGroup": {
                  "value": "[resourceGroup().name]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "vmName": {
                  "value": "[first(split(field('fullName'), '/'))]"
                },
                "enableCollectionOfSqlQueriesForSecurityResearch": {
                  "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
                },
                "azureDefenderForSqlExtensionTypeToInstall": {
                  "value": "[parameters('azureDefenderForSqlExtensionTypeToInstall')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceGroup": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "vmName": {
                    "type": "string"
                  },
                  "enableCollectionOfSqlQueriesForSecurityResearch": {
                    "type": "bool"
                  },
                  "azureDefenderForSqlExtensionTypeToInstall": {
                    "type": "string"
                  }
                },
                "variables": {
                  "locationLongNameToShortMap": {
                    "australiacentral": "CAU",
                    "australiaeast": "EAU",
                    "australiasoutheast": "SEAU",
                    "brazilsouth": "CQ",
                    "canadacentral": "CCA",
                    "centralindia": "CIN",
                    "centralus": "CUS",
                    "eastasia": "EA",
                    "eastus2euap": "eus2p",
                    "eastus": "EUS",
                    "eastus2": "EUS2",
                    "francecentral": "PAR",
                    "germanywestcentral": "DEWC",
                    "japaneast": "EJP",
                    "koreacentral": "SE",
                    "northcentralus": "NCUS",
                    "northeurope": "NEU",
                    "norwayeast": "NOE",
                    "southcentralus": "SCUS",
                    "southeastasia": "SEA",
                    "switzerlandnorth": "CHN",
                    "switzerlandwest": "CHW",
                    "southafricanorth": "JNB",
                    "swedencentral": "SEC",
                    "uaenorth": "DXB",
                    "uksouth": "SUK",
                    "ukwest": "WUK",
                    "westcentralus": "WCUS",
                    "westeurope": "WEU",
                    "westus": "WUS",
                    "westus2": "WUS2"
                  },
                  "locationCode": "[variables('locationLongNameToShortMap')[parameters('location')]]",
                  "subscriptionId": "[subscription().subscriptionId]",
                  "defaultRGName": "[concat('DefaultResourceGroup-', variables('locationCode'))]",
                  "defaultRGLocation": "[parameters('location')]",
                  "workspaceName": "[concat('defaultWorkspace-', variables('subscriptionId'),'-', variables('locationCode'))]",
                  "dcrName": "Microsoft-AzureDefenderForSQL",
                  "dcrId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.Insights/dataCollectionRules/', variables('dcrName'))]",
                  "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/AzureDefenderForSQL-RulesAssociation')]",
                  "deployAzureDefenderForSqlExtensions": "[concat('deployAzureDefenderForSqlExtensions-', uniqueString(deployment().name))]",
                  "deployDefaultAscResourceGroup": "[concat('deployDefaultAscResourceGroup-', uniqueString(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "name": "[variables('defaultRGName')]",
                    "apiVersion": "2020-10-01",
                    "location": "[variables('defaultRGLocation')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('deployDefaultAscResourceGroup')]",
                    "apiVersion": "2020-06-01",
                    "resourceGroup": "[variables('defaultRGName')]",
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/resourceGroups', variables('defaultRGName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "parameters": {
                        "defaultRGLocation": {
                          "value": "[variables('defaultRGLocation')]"
                        },
                        "workspaceName": {
                          "value": "[variables('workspaceName')]"
                        },
                        "dcrName": {
                          "value": "[variables('dcrName')]"
                        },
                        "enableCollectionOfSqlQueriesForSecurityResearch": {
                          "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
                        }
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "defaultRGLocation": {
                            "type": "string"
                          },
                          "workspaceName": {
                            "type": "string"
                          },
                          "dcrName": {
                            "type": "string"
                          },
                          "enableCollectionOfSqlQueriesForSecurityResearch": {
                            "type": "bool"
                          }
                        },
                        "variables": {},
                        "resources": [
                          {
                            "type": "Microsoft.OperationalInsights/workspaces",
                            "name": "[parameters('workspaceName')]",
                            "apiVersion": "2015-11-01-preview",
                            "location": "[parameters('defaultRGLocation')]",
                            "properties": {
                              "sku": {
                                "name": "pernode"
                              },
                              "retentionInDays": 30,
                              "features": {
                                "searchVersion": 1
                              }
                            }
                          },
                          {
                            "type": "Microsoft.Insights/dataCollectionRules",
                            "name": "[parameters('dcrName')]",
                            "apiVersion": "2019-11-01-preview",
                            "location": "[parameters('defaultRGLocation')]",
                            "dependsOn": [
                              "[parameters('workspaceName')]"
                            ],
                            "properties": {
                              "description": "Data collection rule for Azure Defender for SQL. Deleting this rule will break the detection of Azure Defender for SQL.",
                              "dataSources": {
                                "extensions": [
                                  {
                                    "streams": [
                                      "Microsoft-DefenderForSqlAlerts",
                                      "Microsoft-DefenderForSqlLogins",
                                      "Microsoft-DefenderForSqlTelemetry",
                                      "Microsoft-SqlAtpStatus-DefenderForSql"
                                    ],
                                    "extensionName": "AdvancedThreatProtection",
                                    "extensionSettings": {
                                      "enableCollectionOfSqlQueriesForSecurityResearch": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
                                    },
                                    "name": "AdvancedThreatProtection"
                                  },
                                  {
                                    "streams": [
                                      "Microsoft-DefenderForSqlScanEvents",
                                      "Microsoft-DefenderForSqlScanResults",
                                      "Microsoft-DefenderForSqlTelemetry"
                                    ],
                                    "extensionName": "VulnerabilityAssessment",
                                    "name": "VulnerabilityAssessment"
                                  }
                                ]
                              },
                              "destinations": {
                                "logAnalytics": [
                                  {
                                    "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]",
                                    "name": "LogAnalyticsDest"
                                  }
                                ]
                              },
                              "dataFlows": [
                                {
                                  "streams": [
                                    "Microsoft-DefenderForSqlAlerts",
                                    "Microsoft-DefenderForSqlLogins",
                                    "Microsoft-DefenderForSqlTelemetry",
                                    "Microsoft-DefenderForSqlScanEvents",
                                    "Microsoft-DefenderForSqlScanResults"
                                  ],
                                  "destinations": [
                                    "LogAnalyticsDest"
                                  ]
                                }
                              ]
                            }
                          }
                        ]
                      }
                    }
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('deployAzureDefenderForSqlExtensions')]",
                    "apiVersion": "2020-06-01",
                    "resourceGroup": "[parameters('resourceGroup')]",
                    "dependsOn": [
                      "[variables('deployDefaultAscResourceGroup')]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "parameters": {
                        "location": {
                          "value": "[parameters('location')]"
                        },
                        "dcrId": {
                          "value": "[variables('dcrId')]"
                        },
                        "dcraName": {
                          "value": "[variables('dcraName')]"
                        },
                        "vmName": {
                          "value": "[parameters('vmName')]"
                        },
                        "azureDefenderForSqlExtensionTypeToInstall": {
                          "value": "[parameters('azureDefenderForSqlExtensionTypeToInstall')]"
                        }
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "location": {
                            "type": "string"
                          },
                          "dcrId": {
                            "type": "string"
                          },
                          "dcraName": {
                            "type": "string"
                          },
                          "vmName": {
                            "type": "string"
                          },
                          "azureDefenderForSqlExtensionTypeToInstall": {
                            "type": "string"
                          }
                        },
                        "variables": {},
                        "resources": [
                          {
                            "type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations",
                            "name": "[parameters('dcraName')]",
                            "apiVersion": "2019-11-01-preview",
                            "properties": {
                              "description": "Association of data collection rule for Azure Defender for SQL. Deleting this association will break the detection of Azure Defender for SQL for this virtual machine.",
                              "dataCollectionRuleId": "[parameters('dcrId')]"
                            }
                          },
                          {
                            "type": "Microsoft.Compute/virtualMachines/extensions",
                            "name": "[concat(parameters('vmName'), '/', 'Microsoft.Azure.AzureDefenderForSQL.', parameters('azureDefenderForSqlExtensionTypeToInstall'))]",
                            "apiVersion": "2020-12-01",
                            "location": "[parameters('location')]",
                            "properties": {
                              "publisher": "Microsoft.Azure.AzureDefenderForSQL",
                              "type": "[parameters('azureDefenderForSqlExtensionTypeToInstall')]",
                              "typeHandlerVersion": "1.0",
                              "autoUpgradeMinorVersion": true
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2ada9901-073c-444a-9a9a-91865174f0aa",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2ada9901-073c-444a-9a9a-91865174f0aa"
}
BuiltIn Security Center False True n/a n/a DeployIfNotExists false 0 n/a true 2 [Preview]: Configure Azure Defender for SQL agents on virtual machines (/providers/microsoft.authorization/policysetdefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611), [Preview]: Configure Azure Defender for SQL agents on virtual machines (/providers/microsoft.authorization/policysetdefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Preview]: Configure Azure Key Vaults to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone ID",
          "description": "A private DNS zone ID to connect to the private endpoint.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "vault"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "keyvault-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ac673a9a-f77d-4846-b2d8-a57f8e1c01d4"
}
BuiltIn Key Vault False True n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "[Preview]: Configure Azure Key Vaults with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.KeyVault/vaults"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.KeyVault/vaults/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.KeyVault/vaults/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "vault"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9d4fad1f-5189-4a42-b29e-cf7929c6b6df",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9d4fad1f-5189-4a42-b29e-cf7929c6b6df"
}
BuiltIn Key Vault False True n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'Key Vault Contributor' (f25e0fa2-a7c8-4377-a976-54943a77a395)
{
  "properties": {
    "displayName": "[Preview]: Configure Azure Recovery Services vaults to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Recovery Services Vaults. Learn more at: https://aka.ms/privatednszone.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Site Recovery",
      "preview": true
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS zone Id for Azure Recovery vaults resources",
          "description": "The private DNS zone name required to resolve a private DNS Zone to recovery services vault private endpoint records.",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "AzureSiteRecovery"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "privatelink-siterecovery",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "942bd215-1a66-44be-af65-6a1c0318dbe2"
}
BuiltIn Site Recovery False True n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "[Preview]: Configure code signing for training code for specified Azure Machine Learning computes",
    "policyType": "BuiltIn",
    "mode": "Microsoft.MachineLearningServices.Data",
    "description": "Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.",
    "metadata": {
      "version": "3.1.0-preview",
      "category": "Machine Learning",
      "preview": true
    },
    "parameters": {
      "computeNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Compute names where Azure Machine Learning jobs run",
          "description": "List of compute names where this policy should be applied. Example: 'cpu-cluster;gpu-cluster'. If no value is provided to this parameter, policy is applicable to all computes."
        },
        "defaultValue": []
      },
      "computeType": {
        "type": "String",
        "metadata": {
          "displayName": "Compute type for the compute where Azure ML jobs run",
          "description": "Compute type name. If Any is selected, the policy is applicable to any compute types."
        },
        "allowedValues": [
          "MachineLearningCompute",
          "AzureDataFactory",
          "HDInsight",
          "Any"
        ],
        "defaultValue": "Any"
      },
      "isIsolatedNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Is the compute in isolated network",
          "description": "Only applicable for MachineLearningCompute type. \"Yes: apply the policy to computes in isolated network\". \"No: apply the policy to computes that are out of isolated network\". \"Any: apply the policy regardless of if the compute is in isolated network or not\". If compute type is not MachineLearningCompute, the value set for this parameter will be ignored."
        },
        "allowedValues": [
          "Yes",
          "No",
          "Any"
        ],
        "defaultValue": "Any"
      },
      "signingKey": {
        "type": "String",
        "metadata": {
          "displayName": "PGP public key",
          "description": "Public key text in PGP public key format, with newline characters encoded as string literals \"\\r\" and \"\\n\"."
        }
      },
      "optionalSecondSigningKey": {
        "type": "String",
        "metadata": {
          "displayName": "Second PGP public key",
          "description": "Public key text in PGP public key format, with newline characters encoded as string literals \"\\r\" and \"\\n\". This is another allowed signing key that is used only for the special case of Aether module import into Azure Machine Learning."
        },
        "defaultValue": ""
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "enforceSetting",
          "disabled"
        ],
        "defaultValue": "enforceSetting"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "anyOf": [
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeName",
                "in": "[parameters('computeNames')]"
              },
              {
                "value": "[length(parameters('computeNames'))]",
                "equals": 0
              }
            ]
          },
          {
            "anyOf": [
              {
                "value": "[parameters('computeType')]",
                "equals": "Any"
              },
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                "equals": "[parameters('computeType')]"
              }
            ]
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                    "equals": "MachineLearningCompute"
                  },
                  {
                    "anyOf": [
                      {
                        "value": "[parameters('isIsolatedNetwork')]",
                        "equals": "Any"
                      },
                      {
                        "field": "Microsoft.MachineLearningServices.Data/workspaces/isIsolatedNetwork",
                        "equals": "[parameters('isIsolatedNetwork')]"
                      }
                    ]
                  }
                ]
              },
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                "notEquals": "MachineLearningCompute"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "setting": {
            "name": "signingKeys",
            "value": "[createArray(parameters('signingKey'), parameters('optionalSecondSigningKey'))]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6a6f7384-63de-11ea-bc55-0242ac130003",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6a6f7384-63de-11ea-bc55-0242ac130003"
}
BuiltIn Machine Learning False True n/a n/a enforceSetting false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Configure key vaults to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
            "notEquals": "Deny"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "audit",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
              "value": "Deny"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ac673a9a-f77d-4846-b2d8-a57f8e1c01dc"
}
BuiltIn Key Vault False True n/a n/a Modify false 0 n/a false 0 n/a 'Key Vault Contributor' (f25e0fa2-a7c8-4377-a976-54943a77a395)
{
  "properties": {
    "displayName": "[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes",
    "policyType": "BuiltIn",
    "mode": "Microsoft.MachineLearningServices.Data",
    "description": "Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.",
    "metadata": {
      "version": "3.0.0-preview",
      "category": "Machine Learning",
      "preview": true
    },
    "parameters": {
      "computeNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Compute names where Azure ML jobs run",
          "description": "List of compute names where this policy should be applied. Ex. cpu-cluster;gpu-cluster. If no value is provided to this parameter then policy is applicable to all computes."
        },
        "defaultValue": []
      },
      "computeType": {
        "type": "String",
        "metadata": {
          "displayName": "Compute type for the compute where Azure ML jobs run",
          "description": "Compute type name. If Any is selected, the policy is applicable to any compute types."
        },
        "allowedValues": [
          "MachineLearningCompute",
          "Any"
        ],
        "defaultValue": "Any"
      },
      "isIsolatedNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Is the compute in isolated network",
          "description": "Only applicable for MachineLearningCompute type. \"Yes: apply the policy to computes in isolated network\". \"No: apply the policy to computes that are out of isolated network\". \"Any: apply the policy regardless of if the compute is in isolated network or not\"."
        },
        "allowedValues": [
          "Yes",
          "No",
          "Any"
        ],
        "defaultValue": "Any"
      },
      "logFilters": {
        "type": "Array",
        "metadata": {
          "displayName": "Log filter expressions",
          "description": "List of log filter expressions used to filter logs. Ex. ^prefix1.*$"
        },
        "defaultValue": []
      },
      "datastore": {
        "type": "String",
        "metadata": {
          "displayName": "Datastore",
          "description": "Datastore used to store filtered logs. Ex. LogsDatastore which is configured in AML."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "enforceSetting",
          "disabled"
        ],
        "defaultValue": "enforceSetting"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "anyOf": [
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeName",
                "in": "[parameters('computeNames')]"
              },
              {
                "value": "[length(parameters('computeNames'))]",
                "equals": 0
              }
            ]
          },
          {
            "anyOf": [
              {
                "value": "[parameters('computeType')]",
                "equals": "Any"
              },
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                "equals": "[parameters('computeType')]"
              }
            ]
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                    "equals": "MachineLearningCompute"
                  },
                  {
                    "anyOf": [
                      {
                        "value": "[parameters('isIsolatedNetwork')]",
                        "equals": "Any"
                      },
                      {
                        "field": "Microsoft.MachineLearningServices.Data/workspaces/isIsolatedNetwork",
                        "equals": "[parameters('isIsolatedNetwork')]"
                      }
                    ]
                  }
                ]
              },
              {
                "field": "Microsoft.MachineLearningServices.Data/workspaces/computeType",
                "notEquals": "MachineLearningCompute"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "setting": {
            "name": "logFilter",
            "value": {
              "filters": "[parameters('logFilters')]",
              "datastore": "[parameters('datastore')]"
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1d413020-63de-11ea-bc55-0242ac130003",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1d413020-63de-11ea-bc55-0242ac130003"
}
BuiltIn Machine Learning False True n/a n/a enforceSetting false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Configure machines to automatically create the Azure Security Center pipeline for Azure Monitor Agent",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configure machines to automatically create the Azure Security Center pipeline for Azure Monitor Agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "location",
            "in": [
              "australiacentral",
              "australiaeast",
              "australiasoutheast",
              "canadacentral",
              "centralindia",
              "centralus",
              "eastasia",
              "eastus2euap",
              "eastus",
              "eastus2",
              "francecentral",
              "germanywestcentral",
              "japaneast",
              "koreacentral",
              "northcentralus",
              "northeurope",
              "southafricanorth",
              "southcentralus",
              "southeastasia",
              "switzerlandnorth",
              "uksouth",
              "ukwest",
              "westcentralus",
              "westeurope",
              "westus",
              "westus2"
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/dataCollectionRuleAssociations",
          "name": "Security-RulesAssociation",
          "deploymentScope": "subscription",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "location": "eastus",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "resourceGroup": {
                  "value": "[resourceGroup().name]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "vmName": {
                  "value": "[field('name')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceGroup": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "vmName": {
                    "type": "string"
                  }
                },
                "variables": {
                  "locationLongNameToShortMap": {
                    "australiacentral": "CAU",
                    "australiaeast": "EAU",
                    "australiasoutheast": "SEAU",
                    "brazilsouth": "CQ",
                    "canadacentral": "CCA",
                    "centralindia": "CIN",
                    "centralus": "CUS",
                    "eastasia": "EA",
                    "eastus2euap": "eus2p",
                    "eastus": "EUS",
                    "eastus2": "EUS2",
                    "francecentral": "PAR",
                    "germanywestcentral": "DEWC",
                    "japaneast": "EJP",
                    "koreacentral": "SE",
                    "northcentralus": "NCUS",
                    "northeurope": "NEU",
                    "norwayeast": "NOE",
                    "southcentralus": "SCUS",
                    "southeastasia": "SEA",
                    "switzerlandnorth": "CHN",
                    "switzerlandwest": "CHW",
                    "southafricanorth": "JNB",
                    "swedencentral": "SEC",
                    "uaenorth": "DXB",
                    "uksouth": "SUK",
                    "ukwest": "WUK",
                    "westcentralus": "WCUS",
                    "westeurope": "WEU",
                    "westus": "WUS",
                    "westus2": "WUS2"
                  },
                  "locationCode": "[variables('locationLongNameToShortMap')[parameters('location')]]",
                  "subscriptionId": "[subscription().subscriptionId]",
                  "defaultRGName": "[concat('DefaultResourceGroup-', variables('locationCode'))]",
                  "defaultRGLocation": "[parameters('location')]",
                  "workspaceName": "[concat('defaultWorkspace-', variables('subscriptionId'),'-', variables('locationCode'))]",
                  "dcrName": "[concat('Microsoft-Security-', variables('locationCode'), '-dcr')]",
                  "dcrId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.Insights/dataCollectionRules/', variables('dcrName'))]",
                  "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/Security-RulesAssociation')]",
                  "deployDefaultAscResourceGroup": "[concat('deployDefaultAscResourceGroup-', uniqueString(deployment().name))]",
                  "deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "name": "[variables('defaultRGName')]",
                    "apiVersion": "2019-05-01",
                    "location": "[variables('defaultRGLocation')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('deployDefaultAscResourceGroup')]",
                    "apiVersion": "2020-06-01",
                    "resourceGroup": "[variables('defaultRGName')]",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "parameters": {
                        "defaultRGLocation": {
                          "value": "[variables('defaultRGLocation')]"
                        },
                        "workspaceName": {
                          "value": "[variables('workspaceName')]"
                        },
                        "dcrName": {
                          "value": "[variables('dcrName')]"
                        }
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "defaultRGLocation": {
                            "type": "string"
                          },
                          "workspaceName": {
                            "type": "string"
                          },
                          "dcrName": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "securitySolution": {
                            "Name": "[Concat('Security', '(', parameters('workspaceName'), ')')]",
                            "GalleryName": "Security"
                          },
                          "securityCenterFreeSolution": {
                            "Name": "[Concat('SecurityCenterFree', '(', parameters('workspaceName'), ')')]",
                            "GalleryName": "SecurityCenterFree"
                          }
                        },
                        "resources": [
                          {
                            "type": "Microsoft.OperationalInsights/workspaces",
                            "name": "[parameters('workspaceName')]",
                            "apiVersion": "2015-11-01-preview",
                            "location": "[parameters('defaultRGLocation')]",
                            "properties": {
                              "sku": {
                                "name": "pernode"
                              },
                              "retentionInDays": 30,
                              "features": {
                                "searchVersion": 1
                              }
                            }
                          },
                          {
                            "type": "Microsoft.OperationsManagement/solutions",
                            "name": "[variables('securitySolution').Name]",
                            "apiVersion": "2015-11-01-preview",
                            "location": "[parameters('defaultRGLocation')]",
                            "dependsOn": [
                              "[parameters('workspaceName')]"
                            ],
                            "properties": {
                              "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
                            },
                            "plan": {
                              "name": "[variables('securitySolution').Name]",
                              "publisher": "Microsoft",
                              "product": "[Concat('OMSGallery/', variables('securitySolution').GalleryName)]",
                              "promotionCode": ""
                            }
                          },
                          {
                            "type": "Microsoft.OperationsManagement/solutions",
                            "name": "[variables('securityCenterFreeSolution').Name]",
                            "apiVersion": "2015-11-01-preview",
                            "location": "[parameters('defaultRGLocation')]",
                            "dependsOn": [
                              "[parameters('workspaceName')]"
                            ],
                            "properties": {
                              "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
                            },
                            "plan": {
                              "name": "[variables('securityCenterFreeSolution').Name]",
                              "publisher": "Microsoft",
                              "product": "[Concat('OMSGallery/', variables('securityCenterFreeSolution').GalleryName)]",
                              "promotionCode": ""
                            }
                          },
                          {
                            "type": "Microsoft.Insights/dataCollectionRules",
                            "name": "[parameters('dcrName')]",
                            "apiVersion": "2019-11-01-preview",
                            "location": "[parameters('defaultRGLocation')]",
                            "dependsOn": [
                              "[parameters('workspaceName')]"
                            ],
                            "properties": {
                              "description": "Data collection rule for Azure Security Center. Deleting this rule will break the detection of security vulnerabilities.",
                              "dataSources": {
                                "windowsEventLogs": [
                                  {
                                    "name": "RomeDetectionEventDataSource",
                                    "streams": [
                                      "Microsoft-RomeDetectionEvent"
                                    ],
                                    "scheduledTransferPeriod": "PT5M",
                                    "xPathQueries": [
                                      "Security!*",
                                      "Microsoft-Windows-AppLocker/EXE and DLL!*"
                                    ]
                                  }
                                ],
                                "syslog": [
                                  {
                                    "name": "SyslogDataSource",
                                    "streams": [
                                      "Microsoft-Syslog"
                                    ],
                                    "facilityNames": [
                                      "kern",
                                      "auth",
                                      "authpriv",
                                      "cron",
                                      "user",
                                      "daemon",
                                      "syslog",
                                      "local0"
                                    ],
                                    "logLevels": [
                                      "Debug",
                                      "Critical",
                                      "Emergency"
                                    ]
                                  }
                                ],
                                "extensions": [
                                  {
                                    "extensionName": "AzureSecurityLinuxAgent",
                                    "name": "AscLinuxDataSource",
                                    "streams": [
                                      "Microsoft-OperationLog",
                                      "Microsoft-SecurityBaseline",
                                      "Microsoft-SecurityBaselineSummary",
                                      "Microsoft-ProcessInvestigator",
                                      "Microsoft-Auditd",
                                      "Microsoft-ProtectionStatus",
                                      "Microsoft-Heartbeat"
                                    ],
                                    "extensionSettings": {
                                      "scanners": [
                                        {
                                          "name": "heartbeat",
                                          "frequency": "PT1H"
                                        },
                                        {
                                          "name": "time",
                                          "frequency": "PT8H"
                                        },
                                        {
                                          "name": "antimalware",
                                          "frequency": "PT8H"
                                        },
                                        {
                                          "name": "codeintegrity",
                                          "frequency": "P1D"
                                        },
                                        {
                                          "name": "processinvestigator",
                                          "frequency": "PT1H"
                                        },
                                        {
                                          "name": "baseline",
                                          "frequency": "P1D",
                                          "options": [
                                            {
                                              "name": "Baseline",
                                              "value": "Azure.Ubuntu"
                                            },
                                            {
                                              "name": "AscBaseline",
                                              "value": "OMS.Linux"
                                            }
                                          ]
                                        },
                                        {
                                          "name": "docker",
                                          "frequency": "P1D",
                                          "options": [
                                            {
                                              "name": "Baseline",
                                              "value": "Azure.Docker.Linux"
                                            },
                                            {
                                              "name": "AscBaseline",
                                              "value": "OMS.Docker.Linux"
                                            }
                                          ]
                                        }
                                      ]
                                    }
                                  },
                                  {
                                    "extensionName": "AzureSecurityWindowsAgent",
                                    "name": "AsaWindowsDataSource",
                                    "streams": [
                                      "Microsoft-OperationLog",
                                      "Microsoft-SecurityBaseline",
                                      "Microsoft-ProcessInvestigator",
                                      "Microsoft-ProtectionStatus",
                                      "Microsoft-SecurityBaselineSummary"
                                    ],
                                    "extensionSettings": {
                                      "scanners": [
                                        {
                                          "name": "heartbeat",
                                          "frequency": "PT1H"
                                        },
                                        {
                                          "name": "baseline",
                                          "frequency": "P1D"
                                        },
                                        {
                                          "name": "antimalware",
                                          "frequency": "P1D"
                                        },
                                        {
                                          "name": "processinvestigator",
                                          "frequency": "PT1H"
                                        }
                                      ]
                                    }
                                  }
                                ]
                              },
                              "destinations": {
                                "logAnalytics": [
                                  {
                                    "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]",
                                    "name": "LogAnalyticsDest"
                                  }
                                ]
                              },
                              "dataFlows": [
                                {
                                  "streams": [
                                    "Microsoft-Syslog",
                                    "Microsoft-OperationLog",
                                    "Microsoft-SecurityBaseline",
                                    "Microsoft-SecurityBaselineSummary",
                                    "Microsoft-RomeDetectionEvent",
                                    "Microsoft-ProcessInvestigator",
                                    "Microsoft-Auditd",
                                    "Microsoft-ProtectionStatus",
                                    "Microsoft-Heartbeat"
                                  ],
                                  "destinations": [
                                    "LogAnalyticsDest"
                                  ]
                                }
                              ]
                            }
                          }
                        ]
                      }
                    },
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/resourceGroups', variables('defaultRGName'))]"
                    ]
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('deployDataCollectionRulesAssociation')]",
                    "apiVersion": "2020-06-01",
                    "resourceGroup": "[parameters('resourceGroup')]",
                    "dependsOn": [
                      "[variables('deployDefaultAscResourceGroup')]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "parameters": {
                        "location": {
                          "value": "[parameters('location')]"
                        },
                        "vmName": {
                          "value": "[parameters('vmName')]"
                        },
                        "dcrId": {
                          "value": "[variables('dcrId')]"
                        },
                        "dcraName": {
                          "value": "[variables('dcraName')]"
                        }
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "location": {
                            "type": "string"
                          },
                          "vmName": {
                            "type": "string"
                          },
                          "dcrId": {
                            "type": "string"
                          },
                          "dcraName": {
                            "type": "string"
                          }
                        },
                        "variables": {},
                        "resources": [
                          {
                            "type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations",
                            "name": "[parameters('dcraName')]",
                            "apiVersion": "2019-11-01-preview",
                            "properties": {
                              "description": "Association of data collection rule for Azure Security Center. Deleting this association will break the detection of security vulnerabilities for this virtual machine.",
                              "dataCollectionRuleId": "[parameters('dcrId')]"
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28"
}
BuiltIn Security Center False True n/a n/a DeployIfNotExists false 0 n/a true 1 [Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines (/providers/microsoft.authorization/policysetdefinitions/a15f3269-2e10-458c-87a4-d5989e678a73) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Preview]: Configure machines to receive a vulnerability assessment agent",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment agent to all supported machines that don't already have it installed.",
    "metadata": {
      "category": "Security Center",
      "preview": true,
      "version": "2.1.0-preview"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.HybridCompute/machines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "ffff0522-1e88-47fc-8382-2a80ba848f5d",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          },
          "deployment": {
            "properties": {
              "mode": "Incremental",
              "template": {
                "contentVersion": "1.0.0.0",
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "parameters": {
                  "vmName": {
                    "type": "String"
                  },
                  "resourceType": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('resourceType')), toLower('microsoft.compute/virtualmachines'))]",
                    "type": "Microsoft.Compute/virtualMachines/providers/serverVulnerabilityAssessments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.Security/default')]",
                    "apiVersion": "2020-01-01"
                  },
                  {
                    "condition": "[equals(toLower(parameters('resourceType')), toLower('microsoft.hybridcompute/machines'))]",
                    "type": "Microsoft.HybridCompute/machines/providers/serverVulnerabilityAssessments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.Security/default')]",
                    "apiVersion": "2020-01-01"
                  }
                ]
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "resourceType": {
                  "value": "[field('type')]"
                }
              }
            }
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "13ce0167-8ca6-4048-8e6b-f996402e3c1b"
}
BuiltIn Security Center False True n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "[Preview]: Configure private endpoints on Azure Recovery Services vaults",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your site recovery resources of Recovery Services vaults, you can reduce data leakage risks. To use private links, managed service identity must be assigned to Recovery Services Vaults. Learn more about private links at: https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Site Recovery",
      "preview": true
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "A subnet with private endpoint network policies disabled",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.RecoveryServices/vaults"
          },
          {
            "field": "identity.type",
            "contains": "Assigned"
          },
          {
            "field": "Microsoft.RecoveryServices/vaults/privateEndpointStateForSiteRecovery",
            "equals": "None"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.RecoveryServices/vaults/privateEndpointConnections",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[concat(variables('privateEndpointName'))]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[concat(variables('privateEndpointName'))]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "AzureSiteRecovery"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e95a8a5c-0987-421f-84ab-df4d88ebf7d1",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e95a8a5c-0987-421f-84ab-df4d88ebf7d1"
}
BuiltIn Site Recovery False True n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'Site Recovery Contributor' (6670b86e-a3f7-4917-ac9b-5d6ab1be4567)
{
  "properties": {
    "displayName": "[Preview]: Configure Recovery Services vaults to use private DNS zones for backup",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints.",
    "metadata": {
      "version": "1.0.1-preview",
      "preview": true,
      "category": "Backup"
    },
    "parameters": {
      "privateDnsZone-Backup": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone ID for backup",
          "description": "Specifies private DNS Zone ID required to resolve DNS to private IP for the Azure Backup service.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "privateDnsZone-Blob": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone ID for blobs",
          "description": "Specifies private DNS Zone ID required to resolve DNS to private IP for the Azure Blob service.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "privateDnsZone-Queue": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone ID for queues",
          "description": "Specifies private DNS Zone ID required to resolve DNS to private IP for the Azure Queue service.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
              "where": {
                "allOf": [
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                    "contains": "Microsoft.RecoveryServices/vaults"
                  },
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                    "equals": "AzureBackup"
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZone-Backup": {
                    "type": "string"
                  },
                  "privateDnsZone-Blob": {
                    "type": "string"
                  },
                  "privateDnsZone-Queue": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "privateDnsZone-Backup",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZone-Backup')]"
                          }
                        },
                        {
                          "name": "privateDnsZone-Blob",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZone-Blob')]"
                          }
                        },
                        {
                          "name": "privateDnsZone-Queue",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZone-Queue')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZone-Backup": {
                  "value": "[parameters('privateDnsZone-Backup')]"
                },
                "privateDnsZone-Blob": {
                  "value": "[parameters('privateDnsZone-Blob')]"
                },
                "privateDnsZone-Queue": {
                  "value": "[parameters('privateDnsZone-Queue')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "af783da1-4ad1-42be-800d-d19c70038820"
}
BuiltIn Backup False True n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachineScaleSets"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "18_04-lts-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "0001-com-ubuntu-server-focal"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "20_04-lts-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "RHEL"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "83-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "SLES-15-SP2"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "gen2"
                  }
                ]
              }
            ]
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.uefiSettings.vTpmEnabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.uefiSettings.secureBootEnabled",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher",
                "equals": "Microsoft.Azure.Security.LinuxAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type",
                "equals": "GuestAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState",
                "in": [
                  "Succeeded",
                  "Provisioning succeeded"
                ]
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmssName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmssName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "extensionName": "GuestAttestation",
                  "extensionPublisher": "Microsoft.Azure.Security.LinuxAttestation",
                  "extensionVersion": "1.0",
                  "maaTenantName": "GuestAttestation",
                  "ascReportingEndpoint": "https://eus2.service.attest.azure.net/",
                  "maaEndpoint": "https://sharedeus2.eus2.attest.azure.net/"
                },
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
                    "apiVersion": "2018-10-01",
                    "name": "[concat(parameters('vmssName'), '/', variables('extensionName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "[variables('extensionPublisher')]",
                      "type": "[variables('extensionName')]",
                      "typeHandlerVersion": "[variables('extensionVersion')]",
                      "autoUpgradeMinorVersion": true,
                      "settings": {
                        "AttestationConfig": {
                          "MaaSettings": {
                            "maaEndpoint": "[variables('maaEndpoint')]",
                            "maaTenantName": "[variables('maaTenantName')]"
                          },
                          "AscSettings": {
                            "ascReportingEndpoint": "[variables('ascReportingEndpoint')]",
                            "ascReportingFrequency": ""
                          },
                          "useCustomToken": "false",
                          "disableAlerts": "false"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e"
}
BuiltIn Security Center False True n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "[Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "18_04-lts-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "0001-com-ubuntu-server-focal"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "20_04-lts-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "RHEL"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "83-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "SLES-15-SP2"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "gen2"
                  }
                ]
              }
            ]
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines",
          "name": "[field('fullName')]",
          "existenceCondition": {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "equals": "true"
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]",
                    "type": "Microsoft.Compute/virtualMachines",
                    "apiVersion": "2020-12-01",
                    "properties": {
                      "securityProfile": {
                        "uefiSettings": {
                          "secureBootEnabled": "true"
                        },
                        "securityType": "TrustedLaunch"
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/95406fc3-1f69-47b0-8105-4c03b276ec5c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "95406fc3-1f69-47b0-8105-4c03b276ec5c"
}
BuiltIn Security Center False True n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location.",
    "metadata": {
      "category": "Security Center",
      "version": "3.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "location",
            "in": [
              "australiacentral",
              "australiaeast",
              "australiasoutheast",
              "centralindia",
              "centralus",
              "eastasia",
              "eastus",
              "eastus2",
              "germanywestcentral",
              "japaneast",
              "northcentralus",
              "northeurope",
              "southcentralus",
              "southeastasia",
              "uksouth",
              "westcentralus",
              "westeurope",
              "westus",
              "westus2"
            ]
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "SLES",
                      "SLES-HPC",
                      "SLES-HPC-Priority",
                      "SLES-SAP",
                      "SLES-SAP-BYOS",
                      "SLES-Priority",
                      "SLES-BYOS",
                      "SLES-SAPCAL",
                      "SLES-Standard"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "12*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "14.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "16.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "18.04*LTS"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Oracle"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Oracle-Linux"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "7.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "CentOS",
                      "Centos-LVM",
                      "CentOS-SRIOV"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "7*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "credativ"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "debian"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "8"
                      },
                      {
                        "field": "Microsoft.Compute/imageSku",
                        "like": "9"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Debian"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "debian-10"
                    ]
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "10"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "equals": "Canonical"
                          },
                          {
                            "field": "Microsoft.Compute/imageOffer",
                            "equals": "UbuntuServer"
                          },
                          {
                            "field": "Microsoft.Compute/imageSku",
                            "like": "18_04-lts-gen2"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "equals": "Canonical"
                          },
                          {
                            "field": "Microsoft.Compute/imageOffer",
                            "equals": "0001-com-ubuntu-server-focal"
                          },
                          {
                            "field": "Microsoft.Compute/imageSku",
                            "like": "20_04-lts-gen2"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "equals": "RedHat"
                          },
                          {
                            "field": "Microsoft.Compute/imageOffer",
                            "equals": "RHEL"
                          },
                          {
                            "field": "Microsoft.Compute/imageSku",
                            "like": "83-gen2"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "equals": "SUSE"
                          },
                          {
                            "field": "Microsoft.Compute/imageOffer",
                            "equals": "SLES-15-SP2"
                          },
                          {
                            "field": "Microsoft.Compute/imageSku",
                            "like": "gen2"
                          }
                        ]
                      }
                    ]
                  },
                  {
                    "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
                    "exists": "true"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "AzureSecurityLinuxAgent"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/Publisher",
                "equals": "Microsoft.Azure.Security.Monitoring"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "in": [
                  "Succeeded",
                  "Provisioning succeeded"
                ]
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "vmName": {
                  "value": "[field('name')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "location": {
                    "type": "string"
                  },
                  "vmName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "name": "[concat(parameters('vmName'), '/', 'AzureSecurityLinuxAgent')]",
                    "apiVersion": "2019-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.Azure.Security.Monitoring",
                      "type": "AzureSecurityLinuxAgent",
                      "typeHandlerVersion": "2.0",
                      "autoUpgradeMinorVersion": "true",
                      "settings": {},
                      "protectedsettings": {}
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5f8eb305-9c9f-4abe-9bb0-df220d9faba2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5f8eb305-9c9f-4abe-9bb0-df220d9faba2"
}
BuiltIn Security Center False True n/a n/a DeployIfNotExists false 0 n/a true 1 [Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines (/providers/microsoft.authorization/policysetdefinitions/a15f3269-2e10-458c-87a4-d5989e678a73) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "18_04-lts-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "0001-com-ubuntu-server-focal"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "20_04-lts-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "RHEL"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "83-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "SLES-15-SP2"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "gen2"
                  }
                ]
              }
            ]
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.vTpmEnabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Security.LinuxAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "GuestAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "in": [
                  "Succeeded",
                  "Provisioning succeeded"
                ]
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "extensionName": "GuestAttestation",
                  "extensionPublisher": "Microsoft.Azure.Security.LinuxAttestation",
                  "extensionVersion": "1.0",
                  "maaTenantName": "GuestAttestation",
                  "ascReportingEndpoint": "https://eus2.service.attest.azure.net/",
                  "maaEndpoint": "https://sharedeus2.eus2.attest.azure.net/"
                },
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "apiVersion": "2018-10-01",
                    "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "[variables('extensionPublisher')]",
                      "type": "[variables('extensionName')]",
                      "typeHandlerVersion": "[variables('extensionVersion')]",
                      "autoUpgradeMinorVersion": true,
                      "settings": {
                        "AttestationConfig": {
                          "MaaSettings": {
                            "maaEndpoint": "[variables('maaEndpoint')]",
                            "maaTenantName": "[variables('maaTenantName')]"
                          },
                          "AscSettings": {
                            "ascReportingEndpoint": "[variables('ascReportingEndpoint')]",
                            "ascReportingFrequency": ""
                          },
                          "useCustomToken": "false",
                          "disableAlerts": "false"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6074e9a3-c711-4856-976d-24d51f9e065b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6074e9a3-c711-4856-976d-24d51f9e065b"
}
BuiltIn Security Center False True n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "[Preview]: Configure supported virtual machines to automatically enable vTPM",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configure supported virtual machines to automatically enable vTPM to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.vTpmEnabled",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines",
          "name": "[field('fullName')]",
          "existenceCondition": {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.vTpmEnabled",
            "equals": "true"
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]",
                    "type": "Microsoft.Compute/virtualMachines",
                    "apiVersion": "2020-12-01",
                    "properties": {
                      "securityProfile": {
                        "uefiSettings": {
                          "vTpmEnabled": "true"
                        },
                        "securityType": "TrustedLaunch"
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e494853f-93c3-4e44-9210-d12f61a64b34",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e494853f-93c3-4e44-9210-d12f61a64b34"
}
BuiltIn Security Center False True n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "[Preview]: Configure supported Windows machines to automatically install the Azure Security agent",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location.",
    "metadata": {
      "category": "Security Center",
      "version": "3.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "location",
            "in": [
              "australiacentral",
              "australiaeast",
              "australiasoutheast",
              "centralindia",
              "centralus",
              "eastasia",
              "eastus2euap",
              "eastus",
              "eastus2",
              "germanywestcentral",
              "japaneast",
              "northcentralus",
              "northeurope",
              "southcentralus",
              "southeastasia",
              "uksouth",
              "westcentralus",
              "westeurope",
              "westus",
              "westus2"
            ]
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "2008-R2-SP1",
                      "2008-R2-SP1-smalldisk",
                      "2012-Datacenter",
                      "2012-Datacenter-smalldisk",
                      "2012-R2-Datacenter",
                      "2012-R2-Datacenter-smalldisk",
                      "2016-Datacenter",
                      "2016-Datacenter-Server-Core",
                      "2016-Datacenter-Server-Core-smalldisk",
                      "2016-Datacenter-smalldisk",
                      "2016-Datacenter-with-Containers",
                      "2016-Datacenter-with-RDSH",
                      "2019-Datacenter",
                      "2019-Datacenter-Core",
                      "2019-Datacenter-Core-smalldisk",
                      "2019-Datacenter-Core-with-Containers",
                      "2019-Datacenter-Core-with-Containers-smalldisk",
                      "2019-Datacenter-smalldisk",
                      "2019-Datacenter-with-Containers",
                      "2019-Datacenter-with-Containers-smalldisk",
                      "2019-Datacenter-zhcn"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerSemiAnnual"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "Datacenter-Core-1709-smalldisk",
                      "Datacenter-Core-1709-with-Containers-smalldisk",
                      "Datacenter-Core-1803-with-Containers-smalldisk"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServerHPCPack"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerHPCPack"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2019"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2019-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2-BYOL"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftRServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "MLServer-WS2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftVisualStudio"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "VisualStudio",
                      "Windows"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-U8"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "windows-data-science-vm"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsDesktop"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Windows-10"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "AzureSecurityWindowsAgent"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/Publisher",
                "equals": "Microsoft.Azure.Security.Monitoring"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "in": [
                  "Succeeded",
                  "Provisioning succeeded"
                ]
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "vmName": {
                  "value": "[field('name')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "location": {
                    "type": "string"
                  },
                  "vmName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "name": "[concat(parameters('vmName'), '/', 'AzureSecurityWindowsAgent')]",
                    "apiVersion": "2019-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.Azure.Security.Monitoring",
                      "type": "AzureSecurityWindowsAgent",
                      "typeHandlerVersion": "1.0",
                      "autoUpgradeMinorVersion": "true",
                      "settings": {},
                      "protectedsettings": {}
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1537496a-b1e8-482b-a06a-1cc2415cdc7b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1537496a-b1e8-482b-a06a-1cc2415cdc7b"
}
BuiltIn Security Center False True n/a n/a DeployIfNotExists false 0 n/a true 1 [Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines (/providers/microsoft.authorization/policysetdefinitions/a15f3269-2e10-458c-87a4-d5989e678a73) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachineScaleSets"
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.imageReference.offer",
            "like": "windows*"
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.uefiSettings.vTpmEnabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.uefiSettings.secureBootEnabled",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher",
                "equals": "Microsoft.Azure.Security.WindowsAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type",
                "equals": "GuestAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState",
                "in": [
                  "Succeeded",
                  "Provisioning succeeded"
                ]
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmssName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmssName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "extensionName": "GuestAttestation",
                  "extensionPublisher": "Microsoft.Azure.Security.WindowsAttestation",
                  "extensionVersion": "1.0",
                  "maaTenantName": "GuestAttestation",
                  "ascReportingEndpoint": "https://eus2.service.attest.azure.net/",
                  "maaEndpoint": "https://sharedeus2.eus2.attest.azure.net/"
                },
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
                    "apiVersion": "2018-10-01",
                    "name": "[concat(parameters('vmssName'), '/', variables('extensionName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "[variables('extensionPublisher')]",
                      "type": "[variables('extensionName')]",
                      "typeHandlerVersion": "[variables('extensionVersion')]",
                      "autoUpgradeMinorVersion": true,
                      "settings": {
                        "AttestationConfig": {
                          "MaaSettings": {
                            "maaEndpoint": "[variables('maaEndpoint')]",
                            "maaTenantName": "[variables('maaTenantName')]"
                          },
                          "AscSettings": {
                            "ascReportingEndpoint": "[variables('ascReportingEndpoint')]",
                            "ascReportingFrequency": ""
                          },
                          "useCustomToken": "false",
                          "disableAlerts": "false"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf"
}
BuiltIn Security Center False True n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.imageReference.offer",
            "like": "windows*"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines",
          "name": "[field('fullName')]",
          "existenceCondition": {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "equals": "true"
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[parameters('vmName')]",
                    "location": "[parameters('location')]",
                    "type": "Microsoft.Compute/virtualMachines",
                    "apiVersion": "2020-12-01",
                    "properties": {
                      "securityProfile": {
                        "uefiSettings": {
                          "secureBootEnabled": "true"
                        },
                        "securityType": "TrustedLaunch"
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7cb1b219-61c6-47e0-b80c-4472cadeeb5f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7cb1b219-61c6-47e0-b80c-4472cadeeb5f"
}
BuiltIn Security Center False True n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.imageReference.offer",
            "like": "windows*"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.vTpmEnabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Security.WindowsAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "GuestAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "in": [
                  "Succeeded",
                  "Provisioning succeeded"
                ]
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "extensionName": "GuestAttestation",
                  "extensionPublisher": "Microsoft.Azure.Security.WindowsAttestation",
                  "extensionVersion": "1.0",
                  "maaTenantName": "GuestAttestation",
                  "ascReportingEndpoint": "https://eus2.service.attest.azure.net/",
                  "maaEndpoint": "https://sharedeus2.eus2.attest.azure.net/"
                },
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "apiVersion": "2018-10-01",
                    "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "[variables('extensionPublisher')]",
                      "type": "[variables('extensionName')]",
                      "typeHandlerVersion": "[variables('extensionVersion')]",
                      "autoUpgradeMinorVersion": true,
                      "settings": {
                        "AttestationConfig": {
                          "MaaSettings": {
                            "maaEndpoint": "[variables('maaEndpoint')]",
                            "maaTenantName": "[variables('maaTenantName')]"
                          },
                          "AscSettings": {
                            "ascReportingEndpoint": "[variables('ascReportingEndpoint')]",
                            "ascReportingFrequency": ""
                          },
                          "useCustomToken": "false",
                          "disableAlerts": "false"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/98ea2fc7-6fc6-4fd1-9d8d-6331154da071",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "98ea2fc7-6fc6-4fd1-9d8d-6331154da071"
}
BuiltIn Security Center False True n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "[Preview]: Container Registry should use a virtual network service endpoint",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any Container Registry not configured to use a virtual network service endpoint.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Network",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerRegistry/registries"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction",
                "notEquals": "Deny"
              },
              {
                "field": "Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action",
                "exists": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c4857be7-912a-4c75-87e6-e30292bcdf78"
}
BuiltIn Network False True n/a n/a Audit false 0 n/a true 2 [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) n/a
{
  "properties": {
    "displayName": "[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machines.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "18_04-lts-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "0001-com-ubuntu-server-focal"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "20_04-lts-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "RHEL"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "83-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "SLES-15-SP2"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "gen2"
                  }
                ]
              }
            ]
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.vTpmEnabled",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Security.LinuxAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "GuestAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "in": [
                  "Succeeded",
                  "Provisioning succeeded"
                ]
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/672fe5a1-2fcd-42d7-b85d-902b6e28c6ff",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "672fe5a1-2fcd-42d7-b85d-902b6e28c6ff"
}
BuiltIn Security Center False True n/a n/a AuditIfNotExists false 0 n/a true 1 Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8) n/a
{
  "properties": {
    "displayName": "[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machine scale sets.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachineScaleSets"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "18_04-lts-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "0001-com-ubuntu-server-focal"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "20_04-lts-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "RHEL"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "83-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "SLES-15-SP2"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "gen2"
                  }
                ]
              }
            ]
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.uefiSettings.vTpmEnabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.uefiSettings.secureBootEnabled",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher",
                "equals": "Microsoft.Azure.Security.LinuxAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type",
                "equals": "GuestAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState",
                "in": [
                  "Succeeded",
                  "Provisioning succeeded"
                ]
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a21f8c92-9e22-4f09-b759-50500d1d2dda",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a21f8c92-9e22-4f09-b759-50500d1d2dda"
}
BuiltIn Security Center False True n/a n/a AuditIfNotExists false 0 n/a true 1 Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8) n/a
{
  "properties": {
    "displayName": "[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machines.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.imageReference.offer",
            "like": "windows*"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.vTpmEnabled",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Security.WindowsAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "GuestAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "in": [
                  "Succeeded",
                  "Provisioning succeeded"
                ]
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1cb4d9c2-f88f-4069-bee0-dba239a57b09",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1cb4d9c2-f88f-4069-bee0-dba239a57b09"
}
BuiltIn Security Center False True n/a n/a AuditIfNotExists false 0 n/a true 1 Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8) n/a
{
  "properties": {
    "displayName": "[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machine scale sets.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachineScaleSets"
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.imageReference.offer",
            "like": "windows*"
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.uefiSettings.vTpmEnabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.uefiSettings.secureBootEnabled",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher",
                "equals": "Microsoft.Azure.Security.WindowsAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type",
                "equals": "GuestAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState",
                "in": [
                  "Succeeded",
                  "Provisioning succeeded"
                ]
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f655e522-adff-494d-95c2-52d4f6d56a42",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f655e522-adff-494d-95c2-52d4f6d56a42"
}
BuiltIn Security Center False True n/a n/a AuditIfNotExists false 0 n/a true 1 Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8) n/a
{
  "properties": {
    "displayName": "[Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Internet of Things",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Devices/provisioningServices"
          },
          {
            "count": {
              "field": "Microsoft.Devices/provisioningServices/encryption.keyVaultProperties[*]",
              "where": {
                "allOf": [
                  {
                    "field": "Microsoft.Devices/provisioningServices/encryption.keyVaultProperties[*].keyIdentifier",
                    "exists": "true"
                  },
                  {
                    "field": "Microsoft.Devices/provisioningServices/encryption.keyVaultProperties[*].keyIdentifier",
                    "notequals": ""
                  }
                ]
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/47031206-ce96-41f8-861b-6a915f3de284",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "47031206-ce96-41f8-861b-6a915f3de284"
}
BuiltIn Internet of Things False True n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Key Vault keys should have an expiration date",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.",
    "metadata": {
      "version": "1.0.1-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/keys"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/keys/attributes.expiresOn",
            "exists": false
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Key Vault secrets should have an expiration date",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.",
    "metadata": {
      "version": "1.0.1-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/secrets"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/secrets/attributes.expiresOn",
            "exists": false
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "98728c90-32c7-4049-8429-847dc0f4fe37"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Keys should be backed by a hardware security module (HSM)",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/keys"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/keys/keyType",
            "notIn": [
              "RSA-HSM",
              "EC-HSM"
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/587c79fe-dd04-4a5e-9d0b-f89598c7261b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "587c79fe-dd04-4a5e-9d0b-f89598c7261b"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Keys should be the specified cryptographic type RSA or EC",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "allowedKeyTypes": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed key types",
          "description": "The list of allowed key types"
        },
        "allowedValues": [
          "RSA",
          "RSA-HSM",
          "EC",
          "EC-HSM"
        ],
        "defaultValue": [
          "RSA",
          "RSA-HSM",
          "EC",
          "EC-HSM"
        ]
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/keys"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/keys/keyType",
            "notIn": "[parameters('allowedKeyTypes')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "75c4f823-d65c-4f29-a733-01d0077fdbcb"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a true 1 [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "[Preview]: Keys should have more than the specified number of days before expiration",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "minimumDaysBeforeExpiration": {
        "type": "Integer",
        "metadata": {
          "displayName": "The minimum days before expiration",
          "description": "Specify the minimum number of days that a key should remain usable prior to expiration."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/keys"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/keys/attributes.expiresOn",
            "exists": true
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/keys/attributes.expiresOn",
            "less": "[addDays(utcNow(), parameters('minimumDaysBeforeExpiration'))]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5ff38825-c5d8-47c5-b70e-069a21955146"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Keys should have the specified maximum validity period",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "maximumValidityInDays": {
        "type": "Integer",
        "metadata": {
          "displayName": "The maximum validity period in days",
          "description": "Specify the maximum number of days a key can be valid for. Keys should be ephemeral. Using a key with a long validity period is not recommended."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/keys"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.KeyVault.Data/vaults/keys/attributes.expiresOn",
                "exists": false
              },
              {
                "field": "Microsoft.KeyVault.Data/vaults/keys/attributes.expiresOn",
                "greater": "[addDays(field('Microsoft.KeyVault.Data/vaults/keys/attributes.createdOn'), parameters('maximumValidityInDays'))]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "49a22571-d204-4c91-a7b6-09b1a586fbc9"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Keys should not be active for longer than the specified number of days",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "maximumValidityInDays": {
        "type": "Integer",
        "metadata": {
          "displayName": "The maximum validity period in days",
          "description": "Specify the maximum number of days a key can be valid for after activation."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/keys"
          },
          {
            "value": "[utcNow()]",
            "greater": "[addDays(if(empty(field('Microsoft.KeyVault.Data/vaults/keys/attributes.notBefore')), field('Microsoft.KeyVault.Data/vaults/keys/attributes.createdOn'), field('Microsoft.KeyVault.Data/vaults/keys/attributes.notBefore')), parameters('maximumValidityInDays'))]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c26e4b24-cf98-4c67-b48b-5a25c4c69eb9"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Keys using elliptic curve cryptography should have the specified curve names",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "allowedECNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed elliptic curve names",
          "description": "The list of allowed curve names for elliptic curve cryptography certificates."
        },
        "allowedValues": [
          "P-256",
          "P-256K",
          "P-384",
          "P-521"
        ],
        "defaultValue": [
          "P-256",
          "P-256K",
          "P-384",
          "P-521"
        ]
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/keys"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/keys/keyType",
            "in": [
              "EC",
              "EC-HSM"
            ]
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/keys/ellipticCurveName",
            "notIn": "[parameters('allowedECNames')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ff25f3c8-b739-4538-9d07-3d6d25cfb255"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a true 1 [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "[Preview]: Keys using RSA cryptography should have a specified minimum key size",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "minimumRSAKeySize": {
        "type": "Integer",
        "metadata": {
          "displayName": "Minimum RSA key size",
          "description": "The minimum key size for RSA keys."
        },
        "allowedValues": [
          2048,
          3072,
          4096
        ]
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/keys"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/keys/keyType",
            "in": [
              "RSA",
              "RSA-HSM"
            ]
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/keys/keySize",
            "less": "[parameters('minimumRSAKeySize')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "82067dbb-e53b-4e06-b631-546d197452d9"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a true 1 [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "[Preview]: Kubernetes clusters should disable automounting API credentials",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "2.0.0-preview",
      "category": "Kubernetes",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/block-automount-token/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/block-automount-token/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]"
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "423dd1ba-798e-40e4-9c4d-b6902674b423"
}
BuiltIn Kubernetes False True n/a n/a audit false 0 n/a true 1 Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8) n/a
{
  "properties": {
    "displayName": "[Preview]: Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "2.1.0-preview",
      "category": "Kubernetes",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/container-disallowed-capabilities/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/container-disallowed-capabilities/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "disallowedCapabilities": [
              "CAP_SYS_ADMIN"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d2e7ea85-6b44-4317-a0be-1b951587f626"
}
BuiltIn Kubernetes False True n/a n/a audit false 0 n/a true 1 Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8) n/a
{
  "properties": {
    "displayName": "[Preview]: Kubernetes clusters should not use specific security capabilities",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "2.0.0-preview",
      "category": "Kubernetes",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "disallowedCapabilities": {
        "type": "Array",
        "metadata": {
          "displayName": "Blocked capabilities",
          "description": "List of capabilities that containers are not able to use"
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/container-disallowed-capabilities/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/container-disallowed-capabilities/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "disallowedCapabilities": "[parameters('disallowedCapabilities')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a27c700f-8a22-44ec-961c-41625264370b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a27c700f-8a22-44ec-961c-41625264370b"
}
BuiltIn Kubernetes False True n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Kubernetes clusters should not use the default namespace",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "2.1.0-preview",
      "category": "Kubernetes",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": [
          "default"
        ]
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/block-default-namespace/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/block-default-namespace/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]"
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9f061a12-e40d-4183-a00e-171812443373"
}
BuiltIn Kubernetes False True n/a n/a audit false 0 n/a true 1 Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8) n/a
{
  "properties": {
    "displayName": "[Preview]: Linux machines should meet requirements for the Azure compute security baseline",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.1.1-preview",
      "preview": true,
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureLinuxBaseline",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureLinuxBaseline",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "fc9b3da7-8347-4380-8e70-0a0361d8dedd"
}
BuiltIn Guest Configuration False True n/a n/a AuditIfNotExists false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Linux virtual machines should use Secure Boot",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines/extensions"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/extensions/type",
            "equals": "AzureSecurityLinuxAgent"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
            "equals": "Microsoft.Azure.Security.Monitoring"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "0396b18c-41aa-489c-affd-4ee5d1714a59",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b1bb3592-47b8-4150-8db0-bfdcc2c8965b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b1bb3592-47b8-4150-8db0-bfdcc2c8965b"
}
BuiltIn Security Center False True n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Log Analytics Agent should be enabled for listed virtual machine images",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed.",
    "metadata": {
      "version": "2.0.0-preview",
      "category": "Monitoring",
      "preview": true
    },
    "parameters": {
      "listOfImageIdToInclude_windows": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Windows OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "listOfImageIdToInclude_linux": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "not": {
              "anyOf": [
                {
                  "anyOf": [
                    {
                      "field": "Microsoft.Compute/imageId",
                      "in": "[parameters('listOfImageIdToInclude_windows')]"
                    },
                    {
                      "field": "Microsoft.Compute/imageId",
                      "in": "[parameters('listOfImageIdToInclude_linux')]"
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "WindowsServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "2008-R2-SP1",
                            "2008-R2-SP1-smalldisk",
                            "2012-Datacenter",
                            "2012-Datacenter-smalldisk",
                            "2012-R2-Datacenter",
                            "2012-R2-Datacenter-smalldisk",
                            "2016-Datacenter",
                            "2016-Datacenter-Server-Core",
                            "2016-Datacenter-Server-Core-smalldisk",
                            "2016-Datacenter-smalldisk",
                            "2016-Datacenter-with-Containers",
                            "2016-Datacenter-with-RDSH",
                            "2019-Datacenter",
                            "2019-Datacenter-Core",
                            "2019-Datacenter-Core-smalldisk",
                            "2019-Datacenter-Core-with-Containers",
                            "2019-Datacenter-Core-with-Containers-smalldisk",
                            "2019-Datacenter-smalldisk",
                            "2019-Datacenter-with-Containers",
                            "2019-Datacenter-with-Containers-smalldisk",
                            "2019-Datacenter-zhcn"
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "WindowsServerSemiAnnual"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "Datacenter-Core-1709-smalldisk",
                            "Datacenter-Core-1709-with-Containers-smalldisk",
                            "Datacenter-Core-1803-with-Containers-smalldisk"
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsServerHPCPack"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "WindowsServerHPCPack"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftSQLServer"
                        },
                        {
                          "anyOf": [
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2016"
                            },
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2016-BYOL"
                            },
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2012R2"
                            },
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2012R2-BYOL"
                            }
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftRServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "MLServer-WS2016"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftVisualStudio"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "in": [
                            "VisualStudio",
                            "Windows"
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftDynamicsAX"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "Dynamics"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "equals": "Pre-Req-AX7-Onebox-U8"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftDynamicsAX"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "Dynamics"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "equals": "Pre-Req-AX7-Onebox-V4"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "microsoft-ads"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "windows-data-science-vm"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsDesktop"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "Windows-10"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "RedHat"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "RHEL",
                        "RHEL-SAP-HANA"
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "6.*"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "7*"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "SUSE"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "SLES",
                        "SLES-HPC",
                        "SLES-HPC-Priority",
                        "SLES-SAP",
                        "SLES-SAP-BYOS",
                        "SLES-Priority",
                        "SLES-BYOS",
                        "SLES-SAPCAL",
                        "SLES-Standard"
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "12*"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "Canonical"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "UbuntuServer"
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "14.04*LTS"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "16.04*LTS"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "18.04*LTS"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "Oracle"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "Oracle-Linux"
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "6.*"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "7.*"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "OpenLogic"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "CentOS",
                        "Centos-LVM",
                        "CentOS-SRIOV"
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "6.*"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "7*"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "cloudera"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "cloudera-centos-os"
                    },
                    {
                      "field": "Microsoft.Compute/imageSKU",
                      "like": "7*"
                    }
                  ]
                }
              ]
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
            "equals": "Microsoft.EnterpriseCloud.Monitoring"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "32133ab0-ee4b-4b44-98d6-042180979d50"
}
BuiltIn Monitoring False True n/a n/a AuditIfNotExists false 0 n/a true 7 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), Enable Azure Monitor for VMs (/providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "[Preview]: Log Analytics agent should be installed on your Linux Azure Arc machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Monitoring",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.HybridCompute/machines"
          },
          {
            "field": "Microsoft.HybridCompute/imageOffer",
            "like": "linux*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.HybridCompute/machines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.HybridCompute/machines/extensions/type",
                "equals": "OmsAgentForLinux"
              },
              {
                "field": "Microsoft.HybridCompute/machines/extensions/publisher",
                "equals": "Microsoft.EnterpriseCloud.Monitoring"
              },
              {
                "field": "Microsoft.HybridCompute/machines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "842c54e8-c2f9-4d79-ae8d-38d8b8019373"
}
BuiltIn Monitoring False True n/a n/a AuditIfNotExists false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Log Analytics agent should be installed on your Windows Azure Arc machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Monitoring",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.HybridCompute/machines"
          },
          {
            "field": "Microsoft.HybridCompute/imageOffer",
            "like": "windows*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.HybridCompute/machines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.HybridCompute/machines/extensions/type",
                "equals": "MicrosoftMonitoringAgent"
              },
              {
                "field": "Microsoft.HybridCompute/machines/extensions/publisher",
                "equals": "Microsoft.EnterpriseCloud.Monitoring"
              },
              {
                "field": "Microsoft.HybridCompute/machines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e"
}
BuiltIn Monitoring False True n/a n/a AuditIfNotExists false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Network traffic data collection agent should be installed on Linux virtual machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.",
    "metadata": {
      "version": "1.0.1-preview",
      "category": "Monitoring",
      "preview": "true"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable Dependency Agent for Linux VMs monitoring"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "in": [
                          "14.04.0-LTS",
                          "14.04.1-LTS",
                          "14.04.5-LTS"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "in": [
                          "16.04-LTS",
                          "16.04.0-LTS"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "in": [
                          "18.04-LTS"
                        ]
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "SLES",
                      "SLES-HPC",
                      "SLES-HPC-Priority",
                      "SLES-SAP",
                      "SLES-SAP-BYOS",
                      "SLES-Priority",
                      "SLES-BYOS",
                      "SLES-SAPCAL",
                      "SLES-Standard"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "in": [
                          "12-SP2",
                          "12-SP3",
                          "12-SP4"
                        ]
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "CentOS",
                      "Centos-LVM",
                      "CentOS-SRIOV"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "like": "7*"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "DependencyAgentLinux"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Monitoring.DependencyAgent"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "04c4380f-3fae-46e8-96c9-30193528f602"
}
BuiltIn Monitoring False true n/a n/a AuditIfNotExists false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Network traffic data collection agent should be installed on Windows virtual machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.",
    "metadata": {
      "version": "1.0.1-preview",
      "category": "Monitoring",
      "preview": "true"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable Dependency Agent for Windows VMs monitoring"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "2008-R2-SP1",
                      "2008-R2-SP1-smalldisk",
                      "2012-Datacenter",
                      "2012-Datacenter-smalldisk",
                      "2012-R2-Datacenter",
                      "2012-R2-Datacenter-smalldisk",
                      "2016-Datacenter",
                      "2016-Datacenter-Server-Core",
                      "2016-Datacenter-Server-Core-smalldisk",
                      "2016-Datacenter-smalldisk",
                      "2016-Datacenter-with-Containers",
                      "2016-Datacenter-with-RDSH",
                      "2019-Datacenter",
                      "2019-Datacenter-Core",
                      "2019-Datacenter-Core-smalldisk",
                      "2019-Datacenter-Core-with-Containers",
                      "2019-Datacenter-Core-with-Containers-smalldisk",
                      "2019-Datacenter-smalldisk",
                      "2019-Datacenter-with-Containers",
                      "2019-Datacenter-with-Containers-smalldisk",
                      "2019-Datacenter-zhcn"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerSemiAnnual"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "Datacenter-Core-1709-smalldisk",
                      "Datacenter-Core-1709-with-Containers-smalldisk",
                      "Datacenter-Core-1803-with-Containers-smalldisk"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServerHPCPack"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerHPCPack"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2-BYOL"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftRServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "MLServer-WS2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftVisualStudio"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "VisualStudio",
                      "Windows"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-U8"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "windows-data-science-vm"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsDesktop"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Windows-10"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "DependencyAgentWindows"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Monitoring.DependencyAgent"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2f2ee1de-44aa-4762-b6bd-0893fc3f306d"
}
BuiltIn Monitoring False true n/a n/a AuditIfNotExists false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Private endpoint should be configured for Key Vault",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.",
    "metadata": {
      "version": "1.1.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.KeyVault/vaults/privateEndpointConnections",
                "exists": "false"
              },
              {
                "count": {
                  "field": "Microsoft.KeyVault/vaults/privateEndpointConnections[*]"
                },
                "equals": 0
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5f0bc445-3935-4915-9981-011aa2b46147"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Recovery Services vaults should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links for Azure Site Recovery at: https://aka.ms/HybridScenarios-PrivateLink and https://aka.ms/AzureToAzure-PrivateLink.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Site Recovery",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.RecoveryServices/vaults"
          },
          {
            "count": {
              "field": "Microsoft.RecoveryServices/vaults/privateEndpointConnections[*]",
              "where": {
                "allOf": [
                  {
                    "field": "Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                    "equals": "Approved"
                  },
                  {
                    "field": "Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].provisioningState",
                    "equals": "Succeeded"
                  },
                  {
                    "field": "Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].id",
                    "contains": "SiteRecovery"
                  }
                ]
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/11e3da8c-1d68-4392-badd-0ff3c43ab5b0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "11e3da8c-1d68-4392-badd-0ff3c43ab5b0"
}
BuiltIn Site Recovery False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Secrets should have content type set",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/secrets"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/secrets/contentType",
            "exists": false
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "75262d3e-ba4a-4f43-85f8-9f72c090e5e3"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Secrets should have more than the specified number of days before expiration",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "minimumDaysBeforeExpiration": {
        "type": "Integer",
        "metadata": {
          "displayName": "The minimum days before expiration",
          "description": "Specify the minimum number of days that a secret should remain usable prior to expiration."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/secrets"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/secrets/attributes.expiresOn",
            "exists": true
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/secrets/attributes.expiresOn",
            "less": "[addDays(utcNow(), parameters('minimumDaysBeforeExpiration'))]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b0eb591a-5e70-4534-a8bf-04b9c489584a"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Secrets should have the specified maximum validity period",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "maximumValidityInDays": {
        "type": "Integer",
        "metadata": {
          "displayName": "The maximum validity period in days",
          "description": "Specify the maximum number of days a secret can be valid for. Secrets should be ephemeral. Using a secret with a long validity period is not recommended."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/secrets"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.KeyVault.Data/vaults/secrets/attributes.expiresOn",
                "exists": false
              },
              {
                "field": "Microsoft.KeyVault.Data/vaults/secrets/attributes.expiresOn",
                "greater": "[addDays(field('Microsoft.KeyVault.Data/vaults/secrets/attributes.createdOn'), parameters('maximumValidityInDays'))]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "342e8053-e12e-4c44-be01-c3c2f318400f"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Secrets should not be active for longer than the specified number of days",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "maximumValidityInDays": {
        "type": "Integer",
        "metadata": {
          "displayName": "The maximum validity period in days",
          "description": "Specify the maximum number of days a secret can be valid for after activation."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/secrets"
          },
          {
            "value": "[utcNow()]",
            "greater": "[addDays(if(empty(field('Microsoft.KeyVault.Data/vaults/secrets/attributes.notBefore')), field('Microsoft.KeyVault.Data/vaults/secrets/attributes.createdOn'), field('Microsoft.KeyVault.Data/vaults/secrets/attributes.notBefore')), parameters('maximumValidityInDays'))]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e8d99835-8a06-45ae-a8e0-87a91941ccfe"
}
BuiltIn Key Vault False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Secure Boot should be enabled on supported Windows virtual machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment only applies to trusted launch enabled Windows virtual machines.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.imageReference.offer",
            "like": "windows*"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "notequals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "97566dd7-78ae-4997-8b36-1c7bfe0d8121"
}
BuiltIn Security Center False True n/a n/a Audit false 0 n/a true 1 Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8) n/a
{
  "properties": {
    "displayName": "[Preview]: Sensitive data in your SQL databases should be classified",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security",
    "metadata": {
      "version": "3.0.0-preview",
      "category": "Security Center",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/managedInstances/databases"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "b0df6f56-862d-4730-8597-38c0fd4ebd59",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349"
}
BuiltIn Security Center False True n/a n/a AuditIfNotExists false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: SQL Managed instances should use customer-managed keys to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Your SQL Managed instances are created using a customer-managed key for Transparent Data Encryption. Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "SQL",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/managedInstances"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Sql/managedInstances/keyid",
                "exists": false
              },
              {
                "field": "Microsoft.Sql/managedInstances/keyid",
                "equals": ""
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ac01ad65-10e5-46df-bdd9-6b0cad13e1d2"
}
BuiltIn SQL False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: SQL server should use customer-managed keys to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Your Azure SQL Server are created using a customer-managed key for Transparent Data Encryption. Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "SQL",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "value": "[resourcegroup().managedBy]",
            "notContains": "/providers/Microsoft.Synapse/"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Sql/servers/keyid",
                "exists": false
              },
              {
                "field": "Microsoft.Sql/servers/keyid",
                "equals": ""
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0a370ff3-6cab-4e85-8995-295fd854c5b8"
}
BuiltIn SQL False True n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: Storage account public access should be disallowed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.",
    "metadata": {
      "version": "2.0.1-preview",
      "category": "Storage",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "id",
            "notContains": "/resourceGroups/databricks-rg-"
          },
          {
            "not": {
              "field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
              "equals": "false"
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4fa4b6c0-31ca-4c0d-b10d-24b96f62a751"
}
BuiltIn Storage False True n/a n/a audit false 0 n/a true 9 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "[Preview]: Virtual machines guest attestation status should be healthy",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Guest attestation is performed by sending a trusted log (TCGLog) to an attestation server. The server uses these logs to determine whether boot components are trustworthy. This assessment is intended to detect compromises of the boot chain which might be the result of a bootkit or rootkit infection. This assessment only applies to Trusted Launch enabled virtual machines that have Guest Attestation extension installed.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines/extensions"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
            "in": [
              "Microsoft.Azure.Security.WindowsAttestation",
              "Microsoft.Azure.Security.LinuxAttestation"
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "b7604066-ed76-45f9-a5c1-c97e4812dc55",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f6358610-e532-4236-b178-4c65865eb262",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f6358610-e532-4236-b178-4c65865eb262"
}
BuiltIn Security Center False True n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "[Preview]: vTPM should be enabled on supported virtual machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.vTpmEnabled",
            "notequals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1c30f9cd-b84c-49cc-aa2c-9288447cc3b3"
}
BuiltIn Security Center False True n/a n/a Audit false 0 n/a true 1 Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8) n/a
{
  "properties": {
    "displayName": "[Preview]: Windows machines should meet requirements of the Azure compute security baseline",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.1-preview",
      "preview": true,
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureWindowsBaseline",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureWindowsBaseline",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "72650e9f-97bc-4b2a-ab5f-9781a9fcecbc"
}
BuiltIn Guest Configuration False True n/a n/a AuditIfNotExists false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms and key strengths - https://aka.ms/AA62kb0",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "IPsecEncryption": {
        "type": "Array",
        "metadata": {
          "displayName": "IPsec Encryption",
          "description": "IPsec Encryption"
        }
      },
      "IPsecIntegrity": {
        "type": "Array",
        "metadata": {
          "displayName": "IPsec Integrity",
          "description": "IPsec Integrity"
        }
      },
      "IKEEncryption": {
        "type": "Array",
        "metadata": {
          "displayName": "IKE Encryption",
          "description": "IKE Encryption"
        }
      },
      "IKEIntegrity": {
        "type": "Array",
        "metadata": {
          "displayName": "IKE Integrity",
          "description": "IKE Integrity"
        }
      },
      "DHGroup": {
        "type": "Array",
        "metadata": {
          "displayName": "DH Group",
          "description": "DH Group"
        }
      },
      "PFSGroup": {
        "type": "Array",
        "metadata": {
          "displayName": "PFS Group",
          "description": "PFS Group"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/connections"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Network/connections/ipsecPolicies[*].ipsecEncryption",
                "notIn": "[parameters('IPsecEncryption')]"
              },
              {
                "field": "Microsoft.Network/connections/ipsecPolicies[*].ipsecIntegrity",
                "notIn": "[parameters('IPsecIntegrity')]"
              },
              {
                "field": "Microsoft.Network/connections/ipsecPolicies[*].ikeEncryption",
                "notIn": "[parameters('IKEEncryption')]"
              },
              {
                "field": "Microsoft.Network/connections/ipsecPolicies[*].ikeIntegrity",
                "notIn": "[parameters('IKEIntegrity')]"
              },
              {
                "field": "Microsoft.Network/connections/ipsecPolicies[*].dhGroup",
                "notIn": "[parameters('DHGroup')]"
              },
              {
                "field": "Microsoft.Network/connections/ipsecPolicies[*].pfsGroup",
                "notIn": "[parameters('PFSGroup')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/50b83b09-03da-41c1-b656-c293c914862b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "50b83b09-03da-41c1-b656-c293c914862b"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "A maximum of 3 owners should be designated for your subscription",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "6f90a6d6-d4d6-0794-0ec1-98fa77878c2e",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4f11b553-d42e-4e3a-89be-32ca364cad4c"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 18 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "A vulnerability assessment solution should be enabled on your virtual machines",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "ffff0522-1e88-47fc-8382-2a80ba848f5d",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "501541f7-f7e7-4cd6-868c-4190fdad3ac9"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 20 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Activity log should be retained for at least one year",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0).",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/logProfiles",
          "existenceCondition": {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Insights/logProfiles/retentionPolicy.enabled",
                    "equals": "true"
                  },
                  {
                    "field": "Microsoft.Insights/logProfiles/retentionPolicy.days",
                    "equals": "365"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Insights/logProfiles/retentionPolicy.enabled",
                    "equals": "false"
                  },
                  {
                    "field": "Microsoft.Insights/logProfiles/retentionPolicy.days",
                    "equals": "0"
                  }
                ]
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b02aacc0-b073-424e-8298-42b22829ee0a"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a true 2 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "Adaptive application controls for defining safe applications should be enabled on your machines",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "35f45c95-27cf-4e52-891f-8390d1de5828",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "47a6b606-51aa-4496-8bb7-64b11cf66adc"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 19 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Adaptive network hardening recommendations should be applied on internet facing virtual machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "f9f0eed0-f143-47bf-b856-671ea2eeed62",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "08e6af2d-db70-460a-bfe9-d5bd474ba9d6"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 18 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Add a tag to resource groups",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed.",
    "metadata": {
      "version": "1.0.0",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag, such as 'production'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "add",
              "field": "[concat('tags[', parameters('tagName'), ']')]",
              "value": "[parameters('tagValue')]"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "726aca4c-86e9-4b04-b0c5-073027359532"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Add a tag to resources",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups.",
    "metadata": {
      "version": "1.0.0",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag, such as 'production'"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "[concat('tags[', parameters('tagName'), ']')]",
        "exists": "false"
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "add",
              "field": "[concat('tags[', parameters('tagName'), ']')]",
              "value": "[parameters('tagValue')]"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4f9dc7db-30c1-420c-b61a-e1d640128d26"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Add a tag to subscriptions",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Adds the specified tag and value to subscriptions via a remediation task. If the tag exists with a different value it will not be changed. See https://aka.ms/azurepolicyremediation for more information on policy remediation.",
    "metadata": {
      "version": "1.0.0",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag, such as 'production'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          },
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f"
          ],
          "operations": [
            {
              "operation": "add",
              "field": "[concat('tags[', parameters('tagName'), ']')]",
              "value": "[parameters('tagValue')]"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/96d9a89c-0d67-41fc-899d-2b9599f76a24",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "96d9a89c-0d67-41fc-899d-2b9599f76a24"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a 'Tag Contributor' (4a9ae827-6dc8-4573-8ac7-8239d42aa03f)
{
  "properties": {
    "displayName": "Add or replace a tag on resource groups",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task.",
    "metadata": {
      "version": "1.0.0",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag, such as 'production'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "notEquals": "[parameters('tagValue')]"
          }
        ]
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "[concat('tags[', parameters('tagName'), ']')]",
              "value": "[parameters('tagValue')]"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d157c373-a6c4-483d-aaad-570756956268",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d157c373-a6c4-483d-aaad-570756956268"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Add or replace a tag on resources",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does not modify tags on resource groups.",
    "metadata": {
      "version": "1.0.0",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag, such as 'production'"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "[concat('tags[', parameters('tagName'), ']')]",
        "notEquals": "[parameters('tagValue')]"
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "[concat('tags[', parameters('tagName'), ']')]",
              "value": "[parameters('tagValue')]"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5ffd78d9-436d-4b41-a421-5baa819e3008"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Add or replace a tag on subscriptions",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Adds or replaces the specified tag and value on subscriptions via a remediation task. Existing resource groups can be remediated by triggering a remediation task. See https://aka.ms/azurepolicyremediation for more information on policy remediation.",
    "metadata": {
      "version": "1.0.0",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag, such as 'production'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          },
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "notEquals": "[parameters('tagValue')]"
          }
        ]
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "[concat('tags[', parameters('tagName'), ']')]",
              "value": "[parameters('tagValue')]"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/61a4d60b-7326-440e-8051-9f94394d4dd1",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "61a4d60b-7326-440e-8051-9f94394d4dd1"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a 'Tag Contributor' (4a9ae827-6dc8-4573-8ac7-8239d42aa03f)
{
  "properties": {
    "displayName": "Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0"
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "value": "[requestContext().apiVersion]",
            "greaterOrEquals": "2018-10-01"
          },
          {
            "anyOf": [
              {
                "field": "identity.type",
                "exists": "false"
              },
              {
                "field": "identity.type",
                "equals": "None"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "identity.type",
              "value": "SystemAssigned"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3cf2ab00-13f1-4d0c-8971-2ac904541a7e"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a true 18 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), Deploy prerequisites to enable Guest Configuration policies on virtual machines (/providers/microsoft.authorization/policysetdefinitions/12794019-7a00-42cf-95c2-882eed337cc8), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0"
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "value": "[requestContext().apiVersion]",
            "greaterOrEquals": "2018-10-01"
          },
          {
            "field": "identity.type",
            "contains": "UserAssigned"
          },
          {
            "field": "identity.type",
            "notContains": "SystemAssigned"
          }
        ]
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "identity.type",
              "value": "[concat(field('identity.type'), ',SystemAssigned')]"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "497dff13-db2a-4c0f-8603-28fa3b331ab6"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a true 18 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), Deploy prerequisites to enable Guest Configuration policies on virtual machines (/providers/microsoft.authorization/policysetdefinitions/12794019-7a00-42cf-95c2-882eed337cc8), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity",
    "metadata": {
      "version": "1.0.1",
      "category": "Event Hub"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.EventHub/namespaces/authorizationRules"
          },
          {
            "field": "name",
            "notEquals": "RootManageSharedAccessKey"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b278e460-7cfc-4451-8294-cccc40a940d7"
}
BuiltIn Event Hub False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity",
    "metadata": {
      "version": "1.0.1",
      "category": "Service Bus"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ServiceBus/namespaces/authorizationRules"
          },
          {
            "field": "name",
            "notEquals": "RootManageSharedAccessKey"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a1817ec0-a368-432a-8057-8371e17ac6ee"
}
BuiltIn Service Bus False False n/a n/a Audit false 0 n/a true 2 [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a) n/a
{
  "properties": {
    "displayName": "All network ports should be restricted on network security groups associated to your virtual machine",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "3b20e985-f71f-483b-b078-f30d73936d43",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9daedab3-fb2d-461e-b861-71790eead4f6"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 16 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Allow managing tenant ids to onboard through Azure Lighthouse",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Restricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources.",
    "metadata": {
      "version": "1.0.1",
      "category": "Lighthouse"
    },
    "parameters": {
      "listOfAllowedTenants": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed tenants",
          "description": "List of the tenants IDs that can be onboarded through Azure Lighthouse"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ManagedServices/registrationDefinitions"
          },
          {
            "not": {
              "field": "Microsoft.ManagedServices/registrationDefinitions/managedByTenantId",
              "in": "[parameters('listOfAllowedTenants')]"
            }
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7a8a51a3-ad87-4def-96f3-65a1839242b6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7a8a51a3-ad87-4def-96f3-65a1839242b6"
}
BuiltIn Lighthouse False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Allowed locations",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.",
    "metadata": {
      "version": "1.0.0",
      "category": "General"
    },
    "parameters": {
      "listOfAllowedLocations": {
        "type": "Array",
        "metadata": {
          "description": "The list of locations that can be specified when deploying resources.",
          "strongType": "location",
          "displayName": "Allowed locations"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "location",
            "notIn": "[parameters('listOfAllowedLocations')]"
          },
          {
            "field": "location",
            "notEquals": "global"
          },
          {
            "field": "type",
            "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e56962a6-4747-49cd-b67b-bf8b01975c4c"
}
BuiltIn General False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Allowed locations for resource groups",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements.",
    "metadata": {
      "version": "1.0.0",
      "category": "General"
    },
    "parameters": {
      "listOfAllowedLocations": {
        "type": "Array",
        "metadata": {
          "description": "The list of locations that resource groups can be created in.",
          "strongType": "location",
          "displayName": "Allowed locations"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "field": "location",
            "notIn": "[parameters('listOfAllowedLocations')]"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e765b5de-1225-4ba3-bd56-1ac6695af988"
}
BuiltIn General False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Allowed resource types",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'.",
    "metadata": {
      "version": "1.0.0",
      "category": "General"
    },
    "parameters": {
      "listOfResourceTypesAllowed": {
        "type": "Array",
        "metadata": {
          "description": "The list of resource types that can be deployed.",
          "displayName": "Allowed resource types",
          "strongType": "resourceTypes"
        }
      }
    },
    "policyRule": {
      "if": {
        "not": {
          "field": "type",
          "in": "[parameters('listOfResourceTypesAllowed')]"
        }
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a08ec900-254a-4555-9bf5-e42af04b5c5c"
}
BuiltIn General False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Allowed virtual machine size SKUs",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy.",
    "metadata": {
      "version": "1.0.1",
      "category": "Compute"
    },
    "parameters": {
      "listOfAllowedSKUs": {
        "type": "Array",
        "metadata": {
          "description": "The list of size SKUs that can be specified for virtual machines.",
          "displayName": "Allowed Size SKUs",
          "strongType": "VMSKUs"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "not": {
              "field": "Microsoft.Compute/virtualMachines/sku.name",
              "in": "[parameters('listOfAllowedSKUs')]"
            }
          }
        ]
      },
      "then": {
        "effect": "Deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "cccc23c7-8427-4f53-ad12-b6a63eb452b3"
}
BuiltIn Compute False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Allowlist rules in your adaptive application control policy should be updated",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "1234abcd-1b53-4fd4-9835-2c2fa3935313",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "123a3936-f020-408a-ba0c-47873faf1534"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "An activity log alert should exist for specific Administrative operations",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits specific Administrative operations with no activity log alerts configured.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "operationName": {
        "type": "String",
        "metadata": {
          "displayName": "Operation Name",
          "description": "Administrative Operation name for which activity log alert should be configured"
        },
        "allowedValues": [
          "Microsoft.Sql/servers/firewallRules/write",
          "Microsoft.Sql/servers/firewallRules/delete",
          "Microsoft.Network/networkSecurityGroups/write",
          "Microsoft.Network/networkSecurityGroups/delete",
          "Microsoft.ClassicNetwork/networkSecurityGroups/write",
          "Microsoft.ClassicNetwork/networkSecurityGroups/delete",
          "Microsoft.Network/networkSecurityGroups/securityRules/write",
          "Microsoft.Network/networkSecurityGroups/securityRules/delete",
          "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write",
          "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/ActivityLogAlerts",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "true"
              },
              {
                "count": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "Administrative"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "operationName"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "[parameters('operationName')]"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 2
              },
              {
                "not": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                  "equals": "category"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                  "equals": "operationName"
                }
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b954148f-4c11-4c38-8221-be76711e194a"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a true 18 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "An activity log alert should exist for specific Policy operations",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits specific Policy operations with no activity log alerts configured.",
    "metadata": {
      "version": "3.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "operationName": {
        "type": "String",
        "metadata": {
          "displayName": "Operation Name",
          "description": "Policy Operation name for which activity log alert should exist"
        },
        "allowedValues": [
          "Microsoft.Authorization/policyAssignments/write",
          "Microsoft.Authorization/policyAssignments/delete"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/ActivityLogAlerts",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "true"
              },
              {
                "count": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "Administrative"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "operationName"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "[parameters('operationName')]"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 2
              },
              {
                "not": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                  "equals": "category"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                  "equals": "operationName"
                }
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c5447c04-a4d7-4ba8-a263-c9ee321a6858"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a true 4 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "An activity log alert should exist for specific Security operations",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits specific Security operations with no activity log alerts configured.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "operationName": {
        "type": "String",
        "metadata": {
          "displayName": "Operation Name",
          "description": "Security Operation name for which activity log alert should exist"
        },
        "allowedValues": [
          "Microsoft.Security/policies/write",
          "Microsoft.Security/securitySolutions/write",
          "Microsoft.Security/securitySolutions/delete"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/ActivityLogAlerts",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/ActivityLogAlerts/enabled",
                "equals": "true"
              },
              {
                "count": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "category"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "Security"
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                            "equals": "operationName"
                          },
                          {
                            "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                            "equals": "[parameters('operationName')]"
                          }
                        ]
                      }
                    ]
                  }
                },
                "equals": 2
              },
              {
                "not": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                  "equals": "category"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                  "equals": "operationName"
                }
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3b980d31-7904-4bb7-8575-5665739a8052"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a true 6 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "An Azure Active Directory administrator should be provisioned for SQL servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/administrators"
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1f314764-cb73-4fc9-b863-8eca98ac36e9"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 19 IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "API App should only be accessible over HTTPS",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          },
          {
            "field": "Microsoft.Web/sites/httpsOnly",
            "equals": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b7ddfbdc-1260-477d-91fd-98bd9be789a6"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a true 19 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "API apps should use an Azure file share for its content directory",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "The content directory of an API app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          },
          {
            "field": "Microsoft.Web/sites/storageAccountRequired",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/324c7761-08db-4474-9661-d1039abc92ee",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "324c7761-08db-4474-9661-d1039abc92ee"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "API Management service should use a SKU that supports virtual networks",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet.",
    "metadata": {
      "version": "1.0.0",
      "category": "API Management"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "listOfAllowedSKUs": {
        "type": "Array",
        "metadata": {
          "description": "The list of SKUs that can be specified for Azure API Management service.",
          "displayName": "Allowed SKUs"
        },
        "allowedValues": [
          "Developer",
          "Basic",
          "Standard",
          "Premium",
          "Isolated",
          "Consumption"
        ],
        "defaultValue": [
          "Developer",
          "Premium",
          "Isolated"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ApiManagement/service"
          },
          {
            "not": {
              "field": "Microsoft.ApiManagement/service/sku.name",
              "in": "[parameters('listOfAllowedSKUs')]"
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "73ef9241-5d81-4cd4-b483-8443d1730fe5"
}
BuiltIn API Management False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "API Management services should use a virtual network",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.",
    "metadata": {
      "version": "1.0.1",
      "category": "API Management"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "evaluatedSkuNames": {
        "type": "Array",
        "metadata": {
          "displayName": "API Management SKU Names",
          "description": "List of API Management SKUs against which this policy will be evaluated."
        },
        "allowedValues": [
          "Developer",
          "Basic",
          "Standard",
          "Premium",
          "Consumption"
        ],
        "defaultValue": [
          "Developer",
          "Premium"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ApiManagement/service"
          },
          {
            "field": "Microsoft.ApiManagement/service/sku.name",
            "in": "[parameters('evaluatedSkuNames')]"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.ApiManagement/service/virtualNetworkType",
                "exists": "false"
              },
              {
                "field": "Microsoft.ApiManagement/service/virtualNetworkType",
                "equals": "None"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ef619a2c-cc4d-4d03-b2ba-8c94a834d85b"
}
BuiltIn API Management False False n/a n/a Audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "App Configuration should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Configuration"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.AppConfiguration/configurationStores"
          },
          {
            "field": "Microsoft.AppConfiguration/configurationStores/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3d9f5e4c-9947-4579-9539-2a7695fbc187"
}
BuiltIn App Configuration False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "App Configuration should use a customer-managed key",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements.",
    "metadata": {
      "version": "1.1.0",
      "category": "App Configuration"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.AppConfiguration/configurationStores"
          },
          {
            "field": "Microsoft.AppConfiguration/configurationStores/encryption.keyVaultProperties.keyIdentifier",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1"
}
BuiltIn App Configuration False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "App Configuration should use a SKU that supports private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "When using a supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Configuration"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.AppConfiguration/configurationStores"
          },
          {
            "field": "Microsoft.AppConfiguration/configurationStores/sku.name",
            "equals": "Free"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/89c8a434-18f0-402c-8147-630a8dea54e0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "89c8a434-18f0-402c-8147-630a8dea54e0"
}
BuiltIn App Configuration False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "App Configuration should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint.",
    "metadata": {
      "version": "1.0.2",
      "category": "App Configuration"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.AppConfiguration/configurationStores"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.AppConfiguration/configurationStores/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ca610c1d-041c-4332-9d88-7ed3094967c7"
}
BuiltIn App Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "App Configuration stores should have local authentication methods disabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling local authentication methods improves security by ensuring that App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Configuration"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.AppConfiguration/configurationStores"
          },
          {
            "field": "Microsoft.AppConfiguration/configurationStores/disableLocalAuth",
            "notEquals": true
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b08ab3ca-1062-4db3-8803-eec9cae605d6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b08ab3ca-1062-4db3-8803-eec9cae605d6"
}
BuiltIn App Configuration False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "App Service Apps should be injected into a virtual network",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "Microsoft.Web/sites/virtualNetworkSubnetId",
            "equals": ""
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/72d04c29-f87d-4575-9731-419ff16a2757",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "72d04c29-f87d-4575-9731-419ff16a2757"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Web/sites"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/vnetRouteAllEnabled",
            "equals": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/33228571-70a4-4fa1-8ca1-26d0aba8d6ef",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "33228571-70a4-4fa1-8ca1-26d0aba8d6ef"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "App Service apps should use a SKU that supports private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/serverFarms"
          },
          {
            "field": "Microsoft.Web/serverFarms/sku.family",
            "notIn": [
              "Pv2",
              "Pv3",
              "EP",
              "P",
              "I",
              "Iv2"
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "546fe8d2-368d-4029-a418-6af48a7f61e5"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "App Service Environment apps should not be reachable over public internet",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/hostingEnvironments"
          },
          {
            "field": "kind",
            "like": "ASE*"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "value": "[requestContext().apiVersion]",
                    "less": "2018-02-01"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Web/HostingEnvironments/internalLoadBalancingMode",
                        "notContains": "2"
                      },
                      {
                        "field": "Microsoft.Web/HostingEnvironments/internalLoadBalancingMode",
                        "notContains": "3"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "value": "[requestContext().apiVersion]",
                    "greaterOrEquals": "2018-02-01"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Web/HostingEnvironments/internalLoadBalancingMode",
                        "notContains": "Web"
                      },
                      {
                        "field": "Microsoft.Web/HostingEnvironments/internalLoadBalancingMode",
                        "notContains": "Publishing"
                      }
                    ]
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2d048aca-6479-4923-88f5-e2ac295d9af3"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "App Service Environment should be configured with strongest TLS Cipher suites",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "The two most minimal and strongest cipher suites required for App Service Environment to function correctly are : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "kind",
            "like": "ASE*"
          },
          {
            "field": "type",
            "equals": "Microsoft.Web/hostingEnvironments"
          },
          {
            "count": {
              "field": "Microsoft.Web/HostingEnvironments/clusterSettings[*]",
              "where": {
                "allOf": [
                  {
                    "field": "Microsoft.Web/HostingEnvironments/clusterSettings[*].name",
                    "contains": "FrontEndSSLCipherSuiteOrder"
                  },
                  {
                    "field": "Microsoft.Web/HostingEnvironments/clusterSettings[*].value",
                    "contains": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
                  },
                  {
                    "field": "Microsoft.Web/HostingEnvironments/clusterSettings[*].value",
                    "contains": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
                  },
                  {
                    "value": "[less(length(field('Microsoft.Web/HostingEnvironments/clusterSettings[*].value')), 80)]",
                    "equals": "true"
                  }
                ]
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/817dcf37-e83d-4999-a472-644eada2ea1e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "817dcf37-e83d-4999-a472-644eada2ea1e"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "App Service Environment should be provisioned with latest versions",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Only allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/hostingEnvironments"
          },
          {
            "field": "kind",
            "equals": "ASEV1"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "eb4d34ab-0929-491c-bbf3-61e13da19f9a"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "App Service Environment should disable TLS 1.0 and 1.1",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment.",
    "metadata": {
      "version": "2.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/hostingEnvironments"
          },
          {
            "field": "kind",
            "like": "ASE*"
          },
          {
            "count": {
              "field": "Microsoft.Web/HostingEnvironments/clusterSettings[*]",
              "where": {
                "allOf": [
                  {
                    "field": "Microsoft.Web/HostingEnvironments/clusterSettings[*].name",
                    "equals": "DisableTls1.0"
                  },
                  {
                    "field": "Microsoft.Web/HostingEnvironments/clusterSettings[*].value",
                    "equals": "1"
                  }
                ]
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d6545c6b-dd9d-4265-91e6-0b451e2f1c50"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "App Service Environment should enable internal encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/hostingEnvironments"
          },
          {
            "field": "kind",
            "like": "ASE*"
          },
          {
            "count": {
              "field": "Microsoft.Web/HostingEnvironments/clusterSettings[*]",
              "where": {
                "allOf": [
                  {
                    "field": "Microsoft.Web/HostingEnvironments/clusterSettings[*].name",
                    "equals": "InternalEncryption"
                  },
                  {
                    "field": "Microsoft.Web/HostingEnvironments/clusterSettings[*].value",
                    "equals": "true"
                  }
                ]
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/fb74e86f-d351-4b8d-b034-93da7391c01f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "fb74e86f-d351-4b8d-b034-93da7391c01f"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "App Service should use a virtual network service endpoint",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any App Service not configured to use a virtual network service endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/virtualNetworkConnections",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/virtualnetworkconnections/vnetResourceId",
            "exists": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2d21331d-a4c2-4def-a9ad-ee4e1e023beb"
}
BuiltIn Network False False n/a n/a AuditIfNotExists false 0 n/a true 2 [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) n/a
{
  "properties": {
    "displayName": "App Service should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Web/sites"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/687aa49d-0982-40f8-bf6b-66d1da97a04b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "687aa49d-0982-40f8-bf6b-66d1da97a04b"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "App Services should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Web/sites"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/publicNetworkAccess",
            "equals": "Disabled"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Append a tag and its value from the resource group",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc).",
    "metadata": {
      "version": "1.0.0",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
          },
          {
            "value": "[resourceGroup().tags[parameters('tagName')]]",
            "notEquals": ""
          }
        ]
      },
      "then": {
        "effect": "append",
        "details": [
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "value": "[resourceGroup().tags[parameters('tagName')]]"
          }
        ]
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9ea02ca2-71db-412d-8b00-7c7ca9fcd32d"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Append a tag and its value to resource groups",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc).",
    "metadata": {
      "version": "1.0.0",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag, such as 'production'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "append",
        "details": [
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "value": "[parameters('tagValue')]"
          }
        ]
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "49c88fc8-6fd1-46fd-a676-f12d1d3a4c71"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Append a tag and its value to resources",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc).",
    "metadata": {
      "version": "1.0.1",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag, such as 'production'"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "[concat('tags[', parameters('tagName'), ']')]",
        "exists": "false"
      },
      "then": {
        "effect": "append",
        "details": [
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "value": "[parameters('tagValue')]"
          }
        ]
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2a0e14a6-b0a6-4fab-991a-187a4f81c498"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Application definition for Managed Application should use customer provided storage account",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements.",
    "metadata": {
      "version": "1.0.0",
      "category": "Managed Application"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Solutions/applicationDefinitions"
          },
          {
            "field": "Microsoft.Solutions/applicationDefinitions/storageAccountId",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9db7917b-1607-4e7d-a689-bca978dd0633",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9db7917b-1607-4e7d-a689-bca978dd0633"
}
BuiltIn Managed Application False False n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Application Gateway should be deployed with WAF enabled",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy enables you to restrict that Application Gateways is always deployed with WAF enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.3346641Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/applicationGateways"
          },
          {
            "field": "Microsoft.Network/applicationGateways/sku.name",
            "notequals": "WAF_v2"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny-AppGW-Without-WAF"
}
Custom Network False False Mg ESJH (ESJH) Deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Application Insights components should block log ingestion and querying from public networks",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Insights/components"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Insights/components/publicNetworkAccessForIngestion",
                "notEquals": "disabled"
              },
              {
                "field": "Microsoft.Insights/components/publicNetworkAccessForQuery",
                "notEquals": "disabled"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1bc02227-0cb6-4e11-8f53-eb0b22eab7e8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1bc02227-0cb6-4e11-8f53-eb0b22eab7e8"
}
BuiltIn Monitoring False False n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Application Insights components should block non-Azure Active Directory based ingestion.",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Deny",
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Insights/components"
          },
          {
            "field": "Microsoft.Insights/components/DisableLocalAuth",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/199d5677-e4d9-4264-9465-efe1839c06bd",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "199d5677-e4d9-4264-9465-efe1839c06bd"
}
BuiltIn Monitoring False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Application Insights components with Private Link enabled should use Bring Your Own Storage accounts for profiler and debugger.",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To support private link and customer-managed key policies, create your own storage account for profiler and debugger. Learn more in https://docs.microsoft.com/azure/azure-monitor/app/profiler-bring-your-own-storage",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Deny",
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Insights/components"
          },
          {
            "field": "Microsoft.Insights/components/ForceCustomerStorageForProfiler",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0c4bd2e8-8872-4f37-a654-03f6f38ddc76",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0c4bd2e8-8872-4f37-a654-03f6f38ddc76"
}
BuiltIn Monitoring False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Audit delegation of scopes to a managing tenant",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Audit delegation of scopes to a managing tenant via Azure Lighthouse.",
    "metadata": {
      "version": "1.0.0",
      "category": "Lighthouse"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ManagedServices/registrationAssignments"
          },
          {
            "value": "true",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "76bed37b-484f-430f-a009-fd7592dff818"
}
BuiltIn Lighthouse False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Audit diagnostic setting",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Audit diagnostic setting for selected resource types",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "listOfResourceTypes": {
        "type": "Array",
        "metadata": {
          "displayName": "Resource Types",
          "strongType": "resourceTypes"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": "[parameters('listOfResourceTypes')]"
      },
      "then": {
        "effect": "AuditIfNotExists",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7f89b1eb-583c-429a-8828-af049802c1d9"
}
BuiltIn Monitoring False False n/a n/a n/a false 0 n/a true 12 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "Audit Linux machines that allow remote connections from accounts without passwords",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "PasswordPolicy_msid110",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "PasswordPolicy_msid110",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ea53dbee-c6c9-4f0e-9f9e-de0039b78023"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 16 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), Audit machines with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/095e4ed9-c835-4ab6-9439-b5644362a06c), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Audit Linux machines that do not have the passwd file permissions set to 0644",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "PasswordPolicy_msid121",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "PasswordPolicy_msid121",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e6955644-301c-44b5-a4c4-528577de6861"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 14 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), Audit machines with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/095e4ed9-c835-4ab6-9439-b5644362a06c), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Audit Linux machines that don't have the specified applications installed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "3.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "installed_application_linux",
        "version": "1.*",
        "configurationParameter": {
          "ApplicationName": "[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "ApplicationName": {
        "type": "String",
        "metadata": {
          "displayName": "Application names",
          "description": "A semicolon-separated list of the names of the applications that should be installed. e.g. 'python; powershell'"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "installed_application_linux",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent', '=', parameters('ApplicationName')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d3b823c9-e0fc-4453-9fb2-8213b7338523",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d3b823c9-e0fc-4453-9fb2-8213b7338523"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a true 1 [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8) n/a
{
  "properties": {
    "displayName": "Audit Linux machines that have accounts without passwords",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "PasswordPolicy_msid232",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "PasswordPolicy_msid232",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f6ec09a3-78bf-4f8f-99dc-6c77182d0f99"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 15 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), Audit machines with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/095e4ed9-c835-4ab6-9439-b5644362a06c), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Audit Linux machines that have the specified applications installed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "3.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "not_installed_application_linux",
        "version": "1.*",
        "configurationParameter": {
          "ApplicationName": "[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "ApplicationName": {
        "type": "String",
        "metadata": {
          "displayName": "Application names",
          "description": "A semicolon-separated list of the names of the applications that should not be installed. e.g. 'python; powershell'"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "not_installed_application_linux",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent', '=', parameters('ApplicationName')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0447bc18-e2f7-4c0d-aa20-bff034275be1",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0447bc18-e2f7-4c0d-aa20-bff034275be1"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Audit resource location matches resource group location",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit that the resource location matches its resource group location",
    "metadata": {
      "version": "2.0.0",
      "category": "General"
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "location",
            "notEquals": "[resourcegroup().location]"
          },
          {
            "field": "location",
            "notEquals": "global"
          }
        ]
      },
      "then": {
        "effect": "audit"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0a914e76-4921-4c19-b460-a2d36003525a"
}
BuiltIn General False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Audit usage of custom RBAC rules",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling",
    "metadata": {
      "version": "1.0.0",
      "category": "General"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Authorization/roleDefinitions"
          },
          {
            "field": "Microsoft.Authorization/roleDefinitions/type",
            "equals": "CustomRole"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a451c1ef-c6ca-483d-87ed-f49761e3ffb5"
}
BuiltIn General False False n/a n/a Audit false 0 n/a true 15 IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Audit virtual machines without disaster recovery configured",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc.",
    "metadata": {
      "version": "1.0.0",
      "category": "Compute"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.Resources/links",
          "existenceCondition": {
            "field": "name",
            "like": "ASR-Protect-*"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56"
}
BuiltIn Compute False False n/a n/a n/a true 1 /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/microsoft.authorization/policyassignments/bcee1466e4fc4114b5e5f03d (Audit virtual machines without disaster recovery configured) true 12 IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Audit VMs that do not use managed disks",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits VMs that do not use managed disks",
    "metadata": {
      "version": "1.0.0",
      "category": "Compute"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/osDisk.uri",
                "exists": "True"
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/VirtualMachineScaleSets"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers",
                    "exists": "True"
                  },
                  {
                    "field": "Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl",
                    "exists": "True"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "audit"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "06a78e20-9358-41c9-923c-fb736d382a4d"
}
BuiltIn Compute False False n/a n/a n/a true 5 /providers/microsoft.management/managementgroups/cust_t5/providers/microsoft.authorization/policyassignments/aa4f4fdfd3b04fb3962a9da9 (APA Audit VMs that do not use managed disks), /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b1 (Audit VMs that do not use managed disks), /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b2 (APA Audit VMs that do not use managed disks), /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b3 (APA2 Audit VMs that do not use managed disks), /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b4 (APA3 Audit VMs that do not use managed disks) true 4 UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2) n/a
{
  "properties": {
    "displayName": "Audit Windows machines missing any of specified members in the Administrators group",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AdministratorsGroupMembersToInclude",
        "version": "1.*",
        "configurationParameter": {
          "MembersToInclude": "[LocalGroup]AdministratorsGroup;MembersToInclude"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "MembersToInclude": {
        "type": "String",
        "metadata": {
          "displayName": "Members to include",
          "description": "A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AdministratorsGroupMembersToInclude",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[LocalGroup]AdministratorsGroup;MembersToInclude', '=', parameters('MembersToInclude')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a true 9 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a) n/a
{
  "properties": {
    "displayName": "Audit Windows machines network connectivity",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "WindowsRemoteConnection",
        "version": "1.*",
        "configurationParameter": {
          "host": "[WindowsRemoteConnection]WindowsRemoteConnection1;host",
          "port": "[WindowsRemoteConnection]WindowsRemoteConnection1;port",
          "shouldConnect": "[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "host": {
        "type": "String",
        "metadata": {
          "displayName": "Remote Host Name",
          "description": "Specifies the Domain Name System (DNS) name or IP address of the remote host machine."
        }
      },
      "port": {
        "type": "String",
        "metadata": {
          "displayName": "Port",
          "description": "The TCP port number on the remote host name."
        }
      },
      "shouldConnect": {
        "type": "String",
        "metadata": {
          "displayName": "Should connect to remote host",
          "description": "The machine will be non-compliant if it can't establish a connection."
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsRemoteConnection",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[WindowsRemoteConnection]WindowsRemoteConnection1;host', '=', parameters('host'), ',', '[WindowsRemoteConnection]WindowsRemoteConnection1;port', '=', parameters('port'), ',', '[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect', '=', parameters('shouldConnect')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/630ac30f-a234-4533-ac2d-e0df77acda51",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "630ac30f-a234-4533-ac2d-e0df77acda51"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Audit Windows machines on which the DSC configuration is not compliant",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "WindowsDscConfiguration",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsDscConfiguration",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Audit Windows machines on which the Log Analytics agent is not connected as expected",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "WindowsLogAnalyticsAgentConnection",
        "version": "1.*",
        "configurationParameter": {
          "WorkspaceId": "[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "WorkspaceId": {
        "type": "String",
        "metadata": {
          "displayName": "Connected workspace IDs",
          "description": "A semicolon-separated list of the workspace IDs that the Log Analytics agent should be connected to"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsLogAnalyticsAgentConnection",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId', '=', parameters('WorkspaceId')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6265018c-d7e2-432f-a75d-094d5f6f4465",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6265018c-d7e2-432f-a75d-094d5f6f4465"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a true 3 [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) n/a
{
  "properties": {
    "displayName": "Audit Windows machines on which the specified services are not installed and 'Running'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "WindowsServiceStatus",
        "version": "1.*",
        "configurationParameter": {
          "ServiceName": "[WindowsServiceStatus]WindowsServiceStatus1;ServiceName"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "ServiceName": {
        "type": "String",
        "metadata": {
          "displayName": "Service names (supports wildcards)",
          "description": "A semicolon-separated list of the names of the services that should be installed and 'Running'. e.g. 'WinRm;Wi*'"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsServiceStatus",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[WindowsServiceStatus]WindowsServiceStatus1;ServiceName', '=', parameters('ServiceName')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e6ebf138-3d71-4935-a13b-9c7fdddd94df",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e6ebf138-3d71-4935-a13b-9c7fdddd94df"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Audit Windows machines on which Windows Serial Console is not enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "WindowsSerialConsole",
        "version": "1.*",
        "configurationParameter": {
          "EMSPortNumber": "[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber",
          "EMSBaudRate": "[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "EMSPortNumber": {
        "type": "String",
        "metadata": {
          "displayName": "EMS Port Number",
          "description": "An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more information on EMS settings, please visit https://aka.ms/gcpolwsc"
        },
        "allowedValues": [
          "1",
          "2",
          "3",
          "4"
        ],
        "defaultValue": "1"
      },
      "EMSBaudRate": {
        "type": "String",
        "metadata": {
          "displayName": "EMS Baud Rate",
          "description": "An integer indicating the baud rate to be used for the Emergency Management Services (EMS) console redirection. For more information on EMS settings, please visit https://aka.ms/gcpolwsc"
        },
        "allowedValues": [
          "9600",
          "19200",
          "38400",
          "57600",
          "115200"
        ],
        "defaultValue": "115200"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsSerialConsole",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber', '=', parameters('EMSPortNumber'), ',', '[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate', '=', parameters('EMSBaudRate')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/58c460e9-7573-4bb2-9676-339c2f2486bb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "58c460e9-7573-4bb2-9676-339c2f2486bb"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Audit Windows machines that allow re-use of the previous 24 passwords",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "EnforcePasswordHistory",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "EnforcePasswordHistory",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5b054a0d-39e2-4d53-bea3-9734cad2c69b"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 14 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), Audit machines with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/095e4ed9-c835-4ab6-9439-b5644362a06c), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Audit Windows machines that are not joined to the specified domain",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "WindowsDomainMembership",
        "version": "1.*",
        "configurationParameter": {
          "DomainName": "[DomainMembership]WindowsDomainMembership;DomainName"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "DomainName": {
        "type": "String",
        "metadata": {
          "displayName": "Domain Name (FQDN)",
          "description": "The fully qualified domain name (FQDN) that the Windows machines should be joined to"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsDomainMembership",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[DomainMembership]WindowsDomainMembership;DomainName', '=', parameters('DomainName')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/84662df4-0e37-44a6-9ce1-c9d2150db18c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "84662df4-0e37-44a6-9ce1-c9d2150db18c"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a true 1 [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22) n/a
{
  "properties": {
    "displayName": "Audit Windows machines that are not set to the specified time zone",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "WindowsTimeZone",
        "version": "1.*",
        "configurationParameter": {
          "TimeZone": "[WindowsTimeZone]WindowsTimeZone1;TimeZone"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "TimeZone": {
        "type": "String",
        "metadata": {
          "displayName": "Time zone",
          "description": "The expected time zone"
        },
        "allowedValues": [
          "(UTC-12:00) International Date Line West",
          "(UTC-11:00) Coordinated Universal Time-11",
          "(UTC-10:00) Aleutian Islands",
          "(UTC-10:00) Hawaii",
          "(UTC-09:30) Marquesas Islands",
          "(UTC-09:00) Alaska",
          "(UTC-09:00) Coordinated Universal Time-09",
          "(UTC-08:00) Baja California",
          "(UTC-08:00) Coordinated Universal Time-08",
          "(UTC-08:00) Pacific Time (US & Canada)",
          "(UTC-07:00) Arizona",
          "(UTC-07:00) Chihuahua, La Paz, Mazatlan",
          "(UTC-07:00) Mountain Time (US & Canada)",
          "(UTC-06:00) Central America",
          "(UTC-06:00) Central Time (US & Canada)",
          "(UTC-06:00) Easter Island",
          "(UTC-06:00) Guadalajara, Mexico City, Monterrey",
          "(UTC-06:00) Saskatchewan",
          "(UTC-05:00) Bogota, Lima, Quito, Rio Branco",
          "(UTC-05:00) Chetumal",
          "(UTC-05:00) Eastern Time (US & Canada)",
          "(UTC-05:00) Haiti",
          "(UTC-05:00) Havana",
          "(UTC-05:00) Indiana (East)",
          "(UTC-05:00) Turks and Caicos",
          "(UTC-04:00) Asuncion",
          "(UTC-04:00) Atlantic Time (Canada)",
          "(UTC-04:00) Caracas",
          "(UTC-04:00) Cuiaba",
          "(UTC-04:00) Georgetown, La Paz, Manaus, San Juan",
          "(UTC-04:00) Santiago",
          "(UTC-03:30) Newfoundland",
          "(UTC-03:00) Araguaina",
          "(UTC-03:00) Brasilia",
          "(UTC-03:00) Cayenne, Fortaleza",
          "(UTC-03:00) City of Buenos Aires",
          "(UTC-03:00) Greenland",
          "(UTC-03:00) Montevideo",
          "(UTC-03:00) Punta Arenas",
          "(UTC-03:00) Saint Pierre and Miquelon",
          "(UTC-03:00) Salvador",
          "(UTC-02:00) Coordinated Universal Time-02",
          "(UTC-02:00) Mid-Atlantic - Old",
          "(UTC-01:00) Azores",
          "(UTC-01:00) Cabo Verde Is.",
          "(UTC) Coordinated Universal Time",
          "(UTC+00:00) Dublin, Edinburgh, Lisbon, London",
          "(UTC+00:00) Monrovia, Reykjavik",
          "(UTC+00:00) Sao Tome",
          "(UTC+01:00) Casablanca",
          "(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna",
          "(UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague",
          "(UTC+01:00) Brussels, Copenhagen, Madrid, Paris",
          "(UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb",
          "(UTC+01:00) West Central Africa",
          "(UTC+02:00) Amman",
          "(UTC+02:00) Athens, Bucharest",
          "(UTC+02:00) Beirut",
          "(UTC+02:00) Cairo",
          "(UTC+02:00) Chisinau",
          "(UTC+02:00) Damascus",
          "(UTC+02:00) Gaza, Hebron",
          "(UTC+02:00) Harare, Pretoria",
          "(UTC+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius",
          "(UTC+02:00) Jerusalem",
          "(UTC+02:00) Kaliningrad",
          "(UTC+02:00) Khartoum",
          "(UTC+02:00) Tripoli",
          "(UTC+02:00) Windhoek",
          "(UTC+03:00) Baghdad",
          "(UTC+03:00) Istanbul",
          "(UTC+03:00) Kuwait, Riyadh",
          "(UTC+03:00) Minsk",
          "(UTC+03:00) Moscow, St. Petersburg",
          "(UTC+03:00) Nairobi",
          "(UTC+03:30) Tehran",
          "(UTC+04:00) Abu Dhabi, Muscat",
          "(UTC+04:00) Astrakhan, Ulyanovsk",
          "(UTC+04:00) Baku",
          "(UTC+04:00) Izhevsk, Samara",
          "(UTC+04:00) Port Louis",
          "(UTC+04:00) Saratov",
          "(UTC+04:00) Tbilisi",
          "(UTC+04:00) Volgograd",
          "(UTC+04:00) Yerevan",
          "(UTC+04:30) Kabul",
          "(UTC+05:00) Ashgabat, Tashkent",
          "(UTC+05:00) Ekaterinburg",
          "(UTC+05:00) Islamabad, Karachi",
          "(UTC+05:00) Qyzylorda",
          "(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi",
          "(UTC+05:30) Sri Jayawardenepura",
          "(UTC+05:45) Kathmandu",
          "(UTC+06:00) Astana",
          "(UTC+06:00) Dhaka",
          "(UTC+06:00) Omsk",
          "(UTC+06:30) Yangon (Rangoon)",
          "(UTC+07:00) Bangkok, Hanoi, Jakarta",
          "(UTC+07:00) Barnaul, Gorno-Altaysk",
          "(UTC+07:00) Hovd",
          "(UTC+07:00) Krasnoyarsk",
          "(UTC+07:00) Novosibirsk",
          "(UTC+07:00) Tomsk",
          "(UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi",
          "(UTC+08:00) Irkutsk",
          "(UTC+08:00) Kuala Lumpur, Singapore",
          "(UTC+08:00) Perth",
          "(UTC+08:00) Taipei",
          "(UTC+08:00) Ulaanbaatar",
          "(UTC+08:45) Eucla",
          "(UTC+09:00) Chita",
          "(UTC+09:00) Osaka, Sapporo, Tokyo",
          "(UTC+09:00) Pyongyang",
          "(UTC+09:00) Seoul",
          "(UTC+09:00) Yakutsk",
          "(UTC+09:30) Adelaide",
          "(UTC+09:30) Darwin",
          "(UTC+10:00) Brisbane",
          "(UTC+10:00) Canberra, Melbourne, Sydney",
          "(UTC+10:00) Guam, Port Moresby",
          "(UTC+10:00) Hobart",
          "(UTC+10:00) Vladivostok",
          "(UTC+10:30) Lord Howe Island",
          "(UTC+11:00) Bougainville Island",
          "(UTC+11:00) Chokurdakh",
          "(UTC+11:00) Magadan",
          "(UTC+11:00) Norfolk Island",
          "(UTC+11:00) Sakhalin",
          "(UTC+11:00) Solomon Is., New Caledonia",
          "(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky",
          "(UTC+12:00) Auckland, Wellington",
          "(UTC+12:00) Coordinated Universal Time+12",
          "(UTC+12:00) Fiji",
          "(UTC+12:00) Petropavlovsk-Kamchatsky - Old",
          "(UTC+12:45) Chatham Islands",
          "(UTC+13:00) Coordinated Universal Time+13",
          "(UTC+13:00) Nuku'alofa",
          "(UTC+13:00) Samoa",
          "(UTC+14:00) Kiritimati Island"
        ]
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsTimeZone",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[WindowsTimeZone]WindowsTimeZone1;TimeZone', '=', parameters('TimeZone')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c633f6a2-7f8b-4d9e-9456-02f0f04f5505",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c633f6a2-7f8b-4d9e-9456-02f0f04f5505"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Audit Windows machines that contain certificates expiring within the specified number of days",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "CertificateExpiration",
        "version": "1.*",
        "configurationParameter": {
          "CertificateStorePath": "[CertificateStore]CertificateStore1;CertificateStorePath",
          "ExpirationLimitInDays": "[CertificateStore]CertificateStore1;ExpirationLimitInDays",
          "CertificateThumbprintsToInclude": "[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude",
          "CertificateThumbprintsToExclude": "[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude",
          "IncludeExpiredCertificates": "[CertificateStore]CertificateStore1;IncludeExpiredCertificates"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "CertificateStorePath": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate store path",
          "description": "The path to the certificate store containing the certificates to check the expiration dates of. Default value is 'Cert:' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: 'Cert:\\LocalMachine', 'Cert:\\LocalMachine\\TrustedPublisher', 'Cert:\\CurrentUser'"
        },
        "defaultValue": "Cert:"
      },
      "ExpirationLimitInDays": {
        "type": "String",
        "metadata": {
          "displayName": "Expiration limit in days",
          "description": "An integer indicating the number of days within which to check for certificates that are expiring. For example, if this value is 30, any certificate expiring within the next 30 days will cause this policy to be non-compliant."
        },
        "defaultValue": "30"
      },
      "CertificateThumbprintsToInclude": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate thumbprints to include",
          "description": "A semicolon-separated list of certificate thumbprints to check under the specified path. If a value is not specified, all certificates under the certificate store path will be checked. If a value is specified, no certificates other than those with the thumbprints specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
        },
        "defaultValue": ""
      },
      "CertificateThumbprintsToExclude": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate thumbprints to exclude",
          "description": "A semicolon-separated list of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
        },
        "defaultValue": ""
      },
      "IncludeExpiredCertificates": {
        "type": "String",
        "metadata": {
          "displayName": "Include expired certificates",
          "description": "Must be 'true' or 'false'. True indicates that any found certificates that have already expired will also make this policy non-compliant. False indicates that certificates that have expired will be be ignored."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "CertificateExpiration",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[CertificateStore]CertificateStore1;CertificateStorePath', '=', parameters('CertificateStorePath'), ',', '[CertificateStore]CertificateStore1;ExpirationLimitInDays', '=', parameters('ExpirationLimitInDays'), ',', '[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude', '=', parameters('CertificateThumbprintsToInclude'), ',', '[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude', '=', parameters('CertificateThumbprintsToExclude'), ',', '[CertificateStore]CertificateStore1;IncludeExpiredCertificates', '=', parameters('IncludeExpiredCertificates')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1417908b-4bff-46ee-a2a6-4acc899320ab",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1417908b-4bff-46ee-a2a6-4acc899320ab"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a true 1 [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8) n/a
{
  "properties": {
    "displayName": "Audit Windows machines that do not contain the specified certificates in Trusted Root",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\\LocalMachine\\Root) does not contain one or more of the certificates listed by the policy parameter.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.1",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "WindowsCertificateInTrustedRoot",
        "version": "1.*",
        "configurationParameter": {
          "CertificateThumbprints": "[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "CertificateThumbprints": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate thumbprints",
          "description": "A semicolon-separated list of certificate thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsCertificateInTrustedRoot",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude', '=', parameters('CertificateThumbprints')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/934345e1-4dfb-4c70-90d7-41990dc9608b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "934345e1-4dfb-4c70-90d7-41990dc9608b"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a true 2 [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) n/a
{
  "properties": {
    "displayName": "Audit Windows machines that do not have a maximum password age of 70 days",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "MaximumPasswordAge",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "MaximumPasswordAge",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4ceb8dc2-559c-478b-a15b-733fbf1e3738",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4ceb8dc2-559c-478b-a15b-733fbf1e3738"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 12 Audit machines with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/095e4ed9-c835-4ab6-9439-b5644362a06c), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Audit Windows machines that do not have a minimum password age of 1 day",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "MinimumPasswordAge",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "MinimumPasswordAge",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/237b38db-ca4d-4259-9e47-7882441ca2c0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "237b38db-ca4d-4259-9e47-7882441ca2c0"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 11 Audit machines with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/095e4ed9-c835-4ab6-9439-b5644362a06c), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Audit Windows machines that do not have the password complexity setting enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "PasswordMustMeetComplexityRequirements",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "PasswordMustMeetComplexityRequirements",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bf16e0bb-31e1-4646-8202-60a235cc7e74"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 14 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), Audit machines with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/095e4ed9-c835-4ab6-9439-b5644362a06c), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Audit Windows machines that do not have the specified Windows PowerShell execution policy",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if  the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "WindowsPowerShellExecutionPolicy",
        "version": "1.*",
        "configurationParameter": {
          "ExecutionPolicy": "[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "ExecutionPolicy": {
        "type": "String",
        "metadata": {
          "displayName": "PowerShell Execution Policy",
          "description": "The expected PowerShell execution policy."
        },
        "allowedValues": [
          "AllSigned",
          "Bypass",
          "Default",
          "RemoteSigned",
          "Restricted",
          "Undefined",
          "Unrestricted"
        ]
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsPowerShellExecutionPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy', '=', parameters('ExecutionPolicy')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c648fbbb-591c-4acd-b465-ce9b176ca173",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c648fbbb-591c-4acd-b465-ce9b176ca173"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Audit Windows machines that do not have the specified Windows PowerShell modules installed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "WindowsPowerShellModules",
        "version": "1.*",
        "configurationParameter": {
          "Modules": "[PowerShellModules]PowerShellModules1;Modules"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "Modules": {
        "type": "String",
        "metadata": {
          "displayName": "PowerShell Modules",
          "description": "A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version of a module that should be installed by including a comma after the module name, followed by the desired version. Example: PSDscResources; SqlServerDsc, 12.0.0.0; ComputerManagementDsc, 6.1.0.0"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "[concat('WindowsPowerShellModules$pid', uniqueString(policy().assignmentId, policy().definitionReferenceId))]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[PowerShellModules]PowerShellModules1;Modules', '=', parameters('Modules')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3e4e2bd5-15a2-4628-b3e1-58977e9793f3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3e4e2bd5-15a2-4628-b3e1-58977e9793f3"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Audit Windows machines that do not restrict the minimum password length to 14 characters",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "MinimumPasswordLength",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "MinimumPasswordLength",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a2d0e922-65d0-40c4-8f87-ea6da2d307a2"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 15 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), Audit machines with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/095e4ed9-c835-4ab6-9439-b5644362a06c), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Audit Windows machines that do not store passwords using reversible encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "StorePasswordsUsingReversibleEncryption",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "StorePasswordsUsingReversibleEncryption",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/da0f98fe-a24b-4ad5-af69-bd0400233661",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "da0f98fe-a24b-4ad5-af69-bd0400233661"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 11 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), Audit machines with insecure password security settings (/providers/microsoft.authorization/policysetdefinitions/095e4ed9-c835-4ab6-9439-b5644362a06c), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Audit Windows machines that don't have the specified applications installed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall, HKLM:SOFTWARE\\Wow6432node\\Microsoft\\Windows\\CurrentVersion\\Uninstall, HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "WhitelistedApplication",
        "version": "1.*",
        "configurationParameter": {
          "installedApplication": "[InstalledApplication]bwhitelistedapp;Name"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "installedApplication": {
        "type": "String",
        "metadata": {
          "displayName": "Application names (supports wildcards)",
          "description": "A semicolon-separated list of the names of the applications that should be installed. e.g. 'Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL Server 2014*' (to match any application starting with 'Microsoft SQL Server 2014')"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WhitelistedApplication",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[InstalledApplication]bwhitelistedapp;Name', '=', parameters('installedApplication')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ebb67efd-3c46-49b0-adfe-5599eb944998",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ebb67efd-3c46-49b0-adfe-5599eb944998"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a true 1 HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) n/a
{
  "properties": {
    "displayName": "Audit Windows machines that have extra accounts in the Administrators group",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AdministratorsGroupMembers",
        "version": "1.*",
        "configurationParameter": {
          "Members": "[LocalGroup]AdministratorsGroup;Members"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "Members": {
        "type": "String",
        "metadata": {
          "displayName": "Members",
          "description": "A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2"
        },
        "allowedValues": [],
        "defaultValue": "Administrator"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AdministratorsGroupMembers",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[LocalGroup]AdministratorsGroup;Members', '=', parameters('Members')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3d2a3320-2a72-4c67-ac5f-caa40fbee2b2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3d2a3320-2a72-4c67-ac5f-caa40fbee2b2"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a true 3 [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a) n/a
{
  "properties": {
    "displayName": "Audit Windows machines that have not restarted within the specified number of days",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "MachineLastBootUpTime",
        "version": "1.*",
        "configurationParameter": {
          "NumberOfDays": "[MachineUpTime]MachineLastBootUpTime;NumberOfDays"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "NumberOfDays": {
        "type": "String",
        "metadata": {
          "displayName": "Number of days",
          "description": "The number of days without restart until the machine is considered non-compliant"
        },
        "defaultValue": "12"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "MachineLastBootUpTime",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[MachineUpTime]MachineLastBootUpTime;NumberOfDays', '=', parameters('NumberOfDays')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/beb6ccee-b6b8-4e91-9801-a5fa4260a104",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "beb6ccee-b6b8-4e91-9801-a5fa4260a104"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Audit Windows machines that have the specified applications installed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall, HKLM:SOFTWARE\\Wow6432node\\Microsoft\\Windows\\CurrentVersion\\Uninstall, HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "NotInstalledApplicationForWindows",
        "version": "1.*",
        "configurationParameter": {
          "ApplicationName": "[InstalledApplication]NotInstalledApplicationResource1;Name"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "ApplicationName": {
        "type": "String",
        "metadata": {
          "displayName": "Application names (supports wildcards)",
          "description": "A semicolon-separated list of the names of the applications that should not be installed. e.g. 'Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL Server 2014*' (to match any application starting with 'Microsoft SQL Server 2014')"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "NotInstalledApplicationForWindows",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[InstalledApplication]NotInstalledApplicationResource1;Name', '=', parameters('ApplicationName')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c5b85cba-6e6f-4de4-95e1-f0233cd712ac",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c5b85cba-6e6f-4de4-95e1-f0233cd712ac"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Audit Windows machines that have the specified members in the Administrators group",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AdministratorsGroupMembersToExclude",
        "version": "1.*",
        "configurationParameter": {
          "MembersToExclude": "[LocalGroup]AdministratorsGroup;MembersToExclude"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "MembersToExclude": {
        "type": "String",
        "metadata": {
          "displayName": "Members to exclude",
          "description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AdministratorsGroupMembersToExclude",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[LocalGroup]AdministratorsGroup;MembersToExclude', '=', parameters('MembersToExclude')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a true 9 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a) n/a
{
  "properties": {
    "displayName": "Audit Windows VMs with a pending reboot",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "WindowsPendingReboot",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsPendingReboot",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4221adbc-5c0f-474f-88b7-037a99e6114c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4221adbc-5c0f-474f-88b7-037a99e6114c"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Auditing on SQL server should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.",
    "metadata": {
      "version": "2.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "setting": {
        "type": "String",
        "metadata": {
          "displayName": "Desired Auditing setting"
        },
        "allowedValues": [
          "enabled",
          "disabled"
        ],
        "defaultValue": "enabled"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "field": "kind",
            "notContains": "analytics"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/auditingSettings",
          "name": "default",
          "existenceCondition": {
            "field": "Microsoft.Sql/auditingSettings.state",
            "equals": "[parameters('setting')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists true 1 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-sql-db-auditing (Deploy-SQL-Audit) true 22 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Auditing on Synapse workspace should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Auditing on your Synapse workspace should be enabled to track database activities across all databases on the dedicated SQL pools and save them in an audit log.",
    "metadata": {
      "version": "1.0.0",
      "category": "Synapse"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "setting": {
        "type": "String",
        "metadata": {
          "displayName": "Desired Auditing setting"
        },
        "allowedValues": [
          "enabled",
          "disabled"
        ],
        "defaultValue": "enabled"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Synapse/workspaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Synapse/workspaces/auditingSettings",
          "name": "default",
          "existenceCondition": {
            "field": "Microsoft.Synapse/workspaces/auditingSettings/state",
            "equals": "[parameters('setting')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e04e5000-cd89-451d-bb21-a14d24ff9c73",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e04e5000-cd89-451d-bb21-a14d24ff9c73"
}
BuiltIn Synapse False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Authentication should be enabled on your API app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/siteAuthEnabled",
            "equals": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c4ebc54a-46e1-481a-bee2-d4411e95d828"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 2 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c) n/a
{
  "properties": {
    "displayName": "Authentication should be enabled on your Function app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "equals": "functionapp"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/siteAuthEnabled",
            "equals": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 2 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c) n/a
{
  "properties": {
    "displayName": "Authentication should be enabled on your web app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/siteAuthEnabled",
            "equals": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "95bccee9-a7f8-4bec-9ee9-62c3473701fc"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 2 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c) n/a
{
  "properties": {
    "displayName": "Authentication to Linux machines should require SSH keys",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.1",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "LinuxNoPasswordForSSH",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "LinuxNoPasswordForSSH",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "630c64f9-8b6b-4c64-b511-6544ceff6fd6"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Authorization rules on the Event Hub instance should be defined",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Audit existence of authorization rules on Event Hub entities to grant least-privileged access",
    "metadata": {
      "version": "1.0.0",
      "category": "Event Hub"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.EventHub/namespaces/eventhubs"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.EventHub/namespaces/eventHubs/authorizationRules"
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f4826e5f-6a27-407c-ae3e-9582eb39891d"
}
BuiltIn Event Hub False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Authorized IP ranges should be defined on Kubernetes Services",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.",
    "metadata": {
      "version": "2.0.1",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerService/managedClusters"
          },
          {
            "field": "Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges",
            "exists": "false"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.ContainerService/managedClusters/apiServerAccessProfile.enablePrivateCluster",
                "exists": "false"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/apiServerAccessProfile.enablePrivateCluster",
                "equals": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"
}
BuiltIn Security Center False False n/a n/a Audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Auto provisioning of the Log Analytics agent should be enabled on your subscription",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.",
    "metadata": {
      "version": "1.0.1",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/autoProvisioningSettings",
          "existenceCondition": {
            "field": "Microsoft.Security/autoProvisioningSettings/autoProvision",
            "equals": "On"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "475aae12-b88a-4572-8b36-9b712b2b3a17"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Automation account variables should be encrypted",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "It is important to enable encryption of Automation account variable assets when storing sensitive data",
    "metadata": {
      "version": "1.1.0",
      "category": "Automation"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Automation/automationAccounts/variables"
          },
          {
            "field": "Microsoft.Automation/automationAccounts/variables/isEncrypted",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3657f5a0-770e-44a3-b44e-9431ba1e9735"
}
BuiltIn Automation False False n/a n/a Audit false 0 n/a true 12 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Automation accounts should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your Automation account resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/automation/how-to/private-link-security.",
    "metadata": {
      "version": "1.0.0",
      "category": "Automation"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Automation/automationAccounts"
          },
          {
            "field": "Microsoft.Automation/automationAccounts/publicNetworkAccess",
            "notEquals": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "955a914f-bf86-4f0e-acd5-e0766b0efcb6"
}
BuiltIn Automation False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain.",
    "metadata": {
      "version": "1.1.0",
      "category": "Azure Active Directory"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.AAD/domainServices"
          },
          {
            "field": "Microsoft.AAD/domainServices/domainSecuritySettings.tlsV1",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3aa87b5a-7813-4b57-8a43-42dd9df5aaa7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3aa87b5a-7813-4b57-8a43-42dd9df5aaa7"
}
BuiltIn Azure Active Directory False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure API for FHIR should use a customer-managed key to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.",
    "metadata": {
      "version": "1.0.1",
      "category": "API for FHIR"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "audit",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.HealthcareApis/services"
          },
          {
            "field": "Microsoft.HealthcareApis/services/cosmosDbConfiguration.keyVaultKeyUri",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "051cba44-2429-45b9-9649-46cec11c7119"
}
BuiltIn API for FHIR False False n/a n/a audit false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure API for FHIR should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink.",
    "metadata": {
      "version": "1.0.0",
      "category": "API for FHIR"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.HealthcareApis/services"
          },
          {
            "count": {
              "field": "Microsoft.HealthcareApis/services/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.HealthcareApis/services/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1ee56206-5dd1-42ab-b02d-8aae8b1634ce",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1ee56206-5dd1-42ab-b02d-8aae8b1634ce"
}
BuiltIn API for FHIR False False n/a n/a Audit false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Attestation providers should use private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints provide a way to connect Azure Attestation providers to your Azure resources without sending traffic over the public internet. By preventing public access, private endpoints help protect against undesired anonymous access.",
    "metadata": {
      "version": "1.0.0",
      "category": "Attestation"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Attestation/attestationProviders"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Attestation/attestationProviders/privateEndpointConnections",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Attestation/attestationProviders/privateEndpointConnections/privateEndpoint",
                "exists": "true"
              },
              {
                "field": "Microsoft.Attestation/attestationProviders/privateEndpointConnections/provisioningState",
                "equals": "Succeeded"
              },
              {
                "field": "Microsoft.Attestation/attestationProviders/privateEndpointConnections/privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7b256a2d-058b-41f8-bed9-3f870541c40a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7b256a2d-058b-41f8-bed9-3f870541c40a"
}
BuiltIn Attestation False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Automation accounts should use customer-managed keys to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk.",
    "metadata": {
      "version": "1.0.0",
      "category": "Automation"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Automation/automationAccounts"
          },
          {
            "field": "Microsoft.Automation/automationAccounts/encryption.keySource",
            "notEquals": "Microsoft.Keyvault"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "56a5ee18-2ae6-4810-86f7-18e39ce5629b"
}
BuiltIn Automation False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Backup should be enabled for Virtual Machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.",
    "metadata": {
      "version": "2.0.0",
      "category": "Backup"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "id",
            "notContains": "/resourceGroups/databricks-rg-"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.RecoveryServices/backupprotecteditems"
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "013e242c-8828-4970-87b3-ab247555486d"
}
BuiltIn Backup False False n/a n/a AuditIfNotExists false 0 n/a true 9 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Batch account should use customer-managed keys to encrypt data",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK.",
    "metadata": {
      "version": "1.0.1",
      "category": "Batch"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The desired effect of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Batch/batchAccounts"
          },
          {
            "field": "Microsoft.Batch/batchAccounts/encryption.keySource",
            "notEquals": "Microsoft.KeyVault"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "99e9ccd8-3db9-4592-b0d1-14b1715a4d8a"
}
BuiltIn Batch False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Batch pools should have disk encryption enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Enabling Azure Batch disk encryption ensures that data is always encrypted at rest on your Azure Batch compute node. Learn more about disk encryption in Batch at https://docs.microsoft.com/azure/batch/disk-encryption.",
    "metadata": {
      "version": "1.0.0",
      "category": "Batch"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Batch/batchAccounts/pools"
          },
          {
            "count": {
              "field": "Microsoft.Batch/batchAccounts/pools/deploymentConfiguration.virtualMachineConfiguration.diskEncryptionConfiguration.targets[*]",
              "where": {
                "field": "Microsoft.Batch/batchAccounts/pools/deploymentConfiguration.virtualMachineConfiguration.diskEncryptionConfiguration.targets[*]",
                "contains": "TemporaryDisk"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1760f9d4-7206-436e-a28f-d9f3a5c8a227",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1760f9d4-7206-436e-a28f-d9f3a5c8a227"
}
BuiltIn Batch False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Cache for Redis should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cache"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Cache/Redis"
          },
          {
            "field": "Microsoft.Cache/Redis/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "470baccb-7e51-4549-8b1a-3e5be069f663"
}
BuiltIn Cache False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Cache for Redis should reside within a virtual network",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network.",
    "metadata": {
      "version": "1.0.3",
      "category": "Cache"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Cache/redis"
          },
          {
            "field": "Microsoft.Cache/Redis/subnetId",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7d092e0a-7acd-40d2-a975-dca21cae48c4"
}
BuiltIn Cache False False n/a n/a Audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Cache for Redis should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cache"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Cache/redis"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Cache/redis/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Cache/redis/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7803067c-7d34-46e3-8c79-0ca68fc4036d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7803067c-7d34-46e3-8c79-0ca68fc4036d"
}
BuiltIn Cache False False n/a n/a AuditIfNotExists false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Cognitive Search service should use a SKU that supports private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.",
    "metadata": {
      "version": "1.0.0",
      "category": "Search"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or Deny the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Search/searchServices"
          },
          {
            "field": "Microsoft.Search/searchServices/sku.name",
            "equals": "free"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a049bf77-880b-470f-ba6d-9f21c530cf83"
}
BuiltIn Search False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Cognitive Search services should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.",
    "metadata": {
      "version": "1.0.0",
      "category": "Search"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Search/searchServices"
          },
          {
            "field": "Microsoft.Search/searchServices/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ee980b6d-0eca-4501-8d54-f6290fd512c3"
}
BuiltIn Search False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Cognitive Search services should use customer-managed keys to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enabling encryption at rest using a customer-managed key on your Azure Cognitive Search services provides additional control over the key used to encrypt data at rest. This feature is often applicable to customers with special compliance requirements to manage data encryption keys using a key vault.",
    "metadata": {
      "category": "Search",
      "version": "1.0.0"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Search/searchServices"
          },
          {
            "anyof": [
              {
                "field": "Microsoft.Search/searchServices/encryptionWithCmk.enforcement",
                "notEquals": "Enabled"
              },
              {
                "field": "Microsoft.Search/searchServices/encryptionWithCmk.encryptionComplianceStatus",
                "notEquals": "Compliant"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "76a56461-9dc0-40f0-82f5-2453283afa2f"
}
BuiltIn Search False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Cognitive Search services should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.",
    "metadata": {
      "version": "1.0.0",
      "category": "Search"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Search/searchServices"
          },
          {
            "count": {
              "field": "Microsoft.Search/searchServices/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.Search/searchServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0fda3595-9f2b-4592-8675-4231d6fa82fe",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0fda3595-9f2b-4592-8675-4231d6fa82fe"
}
BuiltIn Search False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Container Instance container group should deploy into a virtual network",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other.",
    "metadata": {
      "version": "1.0.0",
      "category": "Container Instance"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerInstance/containerGroups"
          },
          {
            "field": "Microsoft.ContainerInstance/containerGroups/networkProfile.id",
            "exists": false
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8af8f826-edcb-4178-b35f-851ea6fea615"
}
BuiltIn Container Instance False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Container Instance container group should use customer-managed key for encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.",
    "metadata": {
      "version": "1.0.0",
      "category": "Container Instance"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerInstance/containerGroups"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.ContainerInstance/containerGroups/encryptionProperties.vaultBaseUrl",
                "exists": false
              },
              {
                "field": "Microsoft.ContainerInstance/containerGroups/encryptionProperties.keyName",
                "exists": false
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0aa61e00-0a01-4a3c-9945-e93cffedf0e6"
}
BuiltIn Container Instance False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Cosmos DB accounts should have firewall rules",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.",
    "metadata": {
      "version": "2.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Policy Effect",
          "description": "The desired effect of the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess",
                "exists": "false"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess",
                "equals": "Enabled"
              }
            ]
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled",
                "exists": "false"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled",
                "equals": "false"
              }
            ]
          },
          {
            "allOf": [
              {
                "anyOf": [
                  {
                    "field": "Microsoft.DocumentDB/databaseAccounts/ipRules",
                    "exists": "false"
                  },
                  {
                    "count": {
                      "field": "Microsoft.DocumentDB/databaseAccounts/ipRules[*]"
                    },
                    "equals": 0
                  }
                ]
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.DocumentDB/databaseAccounts/ipRangeFilter",
                    "exists": "false"
                  },
                  {
                    "field": "Microsoft.DocumentDB/databaseAccounts/ipRangeFilter",
                    "equals": ""
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb"
}
BuiltIn Cosmos DB False False n/a n/a Deny false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk.",
    "metadata": {
      "version": "1.0.2",
      "category": "Cosmos DB"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The desired effect of the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "Microsoft.DocumentDB/databaseAccounts/keyVaultKeyUri",
            "exists": false
          },
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1f905d99-2ab7-462c-a6b0-f709acca6c8f"
}
BuiltIn Cosmos DB False False n/a n/a audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Cosmos DB allowed locations",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {
      "listOfAllowedLocations": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed locations",
          "description": "The list of locations that can be specified when deploying Azure Cosmos DB resources.",
          "strongType": "location"
        }
      },
      "policyEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Policy Effect",
          "description": "The desired effect of the policy."
        },
        "allowedValues": [
          "deny",
          "audit",
          "disabled"
        ],
        "defaultValue": "deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "count": {
              "field": "Microsoft.DocumentDB/databaseAccounts/Locations[*]",
              "where": {
                "value": "[replace(toLower(first(field('Microsoft.DocumentDB/databaseAccounts/Locations[*].locationName'))), ' ', '')]",
                "in": "[parameters('listOfAllowedLocations')]"
              }
            },
            "notEquals": "[length(field('Microsoft.DocumentDB/databaseAccounts/Locations[*]'))]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('policyEffect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0473574d-2d43-4217-aefe-941fcdf7e684",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0473574d-2d43-4217-aefe-941fcdf7e684"
}
BuiltIn Cosmos DB False False n/a n/a deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Cosmos DB key based metadata write access should be disabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "field": "Microsoft.DocumentDB/databaseAccounts/disableKeyBasedMetadataWriteAccess",
            "notEquals": true
          }
        ]
      },
      "then": {
        "effect": "append",
        "details": [
          {
            "field": "Microsoft.DocumentDB/databaseAccounts/disableKeyBasedMetadataWriteAccess",
            "value": true
          }
        ]
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4750c32b-89c0-46af-bfcb-2e4541a818d5"
}
BuiltIn Cosmos DB False False n/a n/a n/a false 0 n/a true 1 Enable Azure Cosmos DB throughput policy (/providers/microsoft.authorization/policysetdefinitions/cb5e1e90-7c33-491c-a15b-24885c915752) n/a
{
  "properties": {
    "displayName": "Azure Cosmos DB should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "field": "Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "797b37f7-06b8-444c-b1ad-fc62867f335a"
}
BuiltIn Cosmos DB False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Cosmos DB throughput should be limited",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {
      "throughputMax": {
        "type": "Integer",
        "metadata": {
          "displayName": "Max RUs",
          "description": "The maximum throughput (RU/s) that can be assigned to a container via the Resource Provider during create or update."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Policy Effect",
          "description": "The desired effect of the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "anyOf": [
              {
                "field": "type",
                "like": "Microsoft.DocumentDB/databaseAccounts/*/throughputSettings"
              },
              {
                "field": "type",
                "in": [
                  "Microsoft.DocumentDB/databaseAccounts/sqlDatabases",
                  "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
                  "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases",
                  "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections",
                  "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases",
                  "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs",
                  "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces",
                  "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables",
                  "Microsoft.DocumentDB/databaseAccounts/tables"
                ]
              }
            ]
          },
          {
            "anyOf": [
              {
                "value": "[requestContext().apiVersion]",
                "less": "2019-08-01"
              },
              {
                "value": "[if(equals(field('Microsoft.DocumentDB/databaseAccounts/sqlDatabases/options.throughput'), ''), 0, int(field('Microsoft.DocumentDB/databaseAccounts/sqlDatabases/options.throughput')))]",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/options",
                "containsKey": "ProvisionedThroughputSettings"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/default.resource.throughput",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/default.resource.provisionedThroughputSettings",
                "exists": "true"
              },
              {
                "value": "[if(equals(field('Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/options.throughput'), ''), 0, int(field('Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/options.throughput')))]",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/options",
                "containsKey": "ProvisionedThroughputSettings"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/default.resource.throughput",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/default.resource.provisionedThroughputSettings",
                "exists": "true"
              },
              {
                "value": "[if(equals(field('Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/options.throughput'), ''), 0, int(field('Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/options.throughput')))]",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/options",
                "containsKey": "ProvisionedThroughputSettings"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/default.resource.throughput",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/default.resource.provisionedThroughputSettings",
                "exists": "true"
              },
              {
                "value": "[if(equals(field('Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/options.throughput'), ''), 0, int(field('Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/options.throughput')))]",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/options",
                "containsKey": "ProvisionedThroughputSettings"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/default.resource.throughput",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/default.resource.provisionedThroughputSettings",
                "exists": "true"
              },
              {
                "value": "[if(equals(field('Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/options.throughput'), ''), 0, int(field('Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/options.throughput')))]",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/options",
                "containsKey": "ProvisionedThroughputSettings"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/default.resource.throughput",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/default.resource.provisionedThroughputSettings",
                "exists": "true"
              },
              {
                "value": "[if(equals(field('Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/options.throughput'), ''), 0, int(field('Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/options.throughput')))]",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/options",
                "containsKey": "ProvisionedThroughputSettings"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/default.resource.throughput",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/default.resource.provisionedThroughputSettings",
                "exists": "true"
              },
              {
                "value": "[if(equals(field('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/options.throughput'), ''), 0, int(field('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/options.throughput')))]",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/options",
                "containsKey": "ProvisionedThroughputSettings"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/default.resource.throughput",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/default.resource.provisionedThroughputSettings",
                "exists": "true"
              },
              {
                "value": "[if(equals(field('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/options.throughput'), ''), 0, int(field('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/options.throughput')))]",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/options",
                "containsKey": "ProvisionedThroughputSettings"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/default.resource.throughput",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/default.resource.provisionedThroughputSettings",
                "exists": "true"
              },
              {
                "value": "[if(equals(field('Microsoft.DocumentDB/databaseAccounts/tables/options.throughput'), ''), 0, int(field('Microsoft.DocumentDB/databaseAccounts/tables/options.throughput')))]",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/tables/options",
                "containsKey": "ProvisionedThroughputSettings"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/default.resource.throughput",
                "greater": "[parameters('throughputMax')]"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/default.resource.provisionedThroughputSettings",
                "exists": "true"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0b7ef78e-a035-4f23-b9bd-aff122a1b1cf",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0b7ef78e-a035-4f23-b9bd-aff122a1b1cf"
}
BuiltIn Cosmos DB False False n/a n/a deny false 0 n/a true 1 Enable Azure Cosmos DB throughput policy (/providers/microsoft.authorization/policysetdefinitions/cb5e1e90-7c33-491c-a15b-24885c915752) n/a
{
  "properties": {
    "displayName": "Azure Data Box jobs should enable double encryption for data at rest on the device",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption.",
    "metadata": {
      "version": "1.0.0",
      "category": "Data Box"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The desired effect of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "supportedSKUs": {
        "type": "Array",
        "metadata": {
          "displayName": "Supported SKUs",
          "description": "The list of SKUs that support software-based double encryption"
        },
        "allowedValues": [
          "DataBox",
          "DataBoxHeavy"
        ],
        "defaultValue": [
          "DataBox",
          "DataBoxHeavy"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DataBox/jobs"
          },
          {
            "field": "Microsoft.Databox/jobs/sku.name",
            "in": "[parameters('supportedSKUs')]"
          },
          {
            "field": "Microsoft.DataBox/jobs/details.preferences.encryptionPreferences.doubleEncryption",
            "notEquals": "Enabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c349d81b-9985-44ae-a8da-ff98d108ede8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c349d81b-9985-44ae-a8da-ff98d108ede8"
}
BuiltIn Data Box False False n/a n/a Audit false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.",
    "metadata": {
      "version": "1.0.0",
      "category": "Data Box"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The desired effect of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "supportedSKUs": {
        "type": "Array",
        "metadata": {
          "displayName": "Supported SKUs",
          "description": "The list of SKUs that support customer-managed key encryption key"
        },
        "allowedValues": [
          "DataBox",
          "DataBoxHeavy"
        ],
        "defaultValue": [
          "DataBox",
          "DataBoxHeavy"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DataBox/jobs"
          },
          {
            "field": "Microsoft.Databox/jobs/sku.name",
            "in": "[parameters('supportedSKUs')]"
          },
          {
            "field": "Microsoft.DataBox/jobs/details.keyEncryptionKey.kekType",
            "notEquals": "CustomerManaged"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "86efb160-8de7-451d-bc08-5d475b0aadae"
}
BuiltIn Data Box False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Data Explorer encryption at rest should use a customer-managed key",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys.",
    "metadata": {
      "version": "1.0.0",
      "category": "Azure Data Explorer"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Kusto/Clusters"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Kusto/clusters/keyVaultProperties",
                "exists": false
              },
              {
                "field": "Microsoft.Kusto/clusters/keyVaultProperties.keyName",
                "exists": false
              },
              {
                "field": "Microsoft.Kusto/clusters/keyVaultProperties.keyVersion",
                "exists": false
              },
              {
                "field": "Microsoft.Kusto/clusters/keyVaultProperties.keyVaultUri",
                "exists": false
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "81e74cea-30fd-40d5-802f-d72103c2aaaa"
}
BuiltIn Azure Data Explorer False False n/a n/a Audit false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure data factories should be encrypted with a customer-managed key",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk.",
    "metadata": {
      "version": "1.0.1",
      "category": "Data Factory"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DataFactory/factories"
          },
          {
            "field": "Microsoft.DataFactory/factories/encryption.vaultBaseUrl",
            "exists": false
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4ec52d6d-beb7-40c4-9a9e-fe753254690e"
}
BuiltIn Data Factory False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Data Factory should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link.",
    "metadata": {
      "version": "1.0.0",
      "category": "Data Factory"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DataFactory/factories"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DataFactory/factories/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.DataFactory/factories/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8b0323be-cc25-4b61-935d-002c3798c6ea",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8b0323be-cc25-4b61-935d-002c3798c6ea"
}
BuiltIn Data Factory False False n/a n/a AuditIfNotExists false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure DDoS Protection Standard should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "microsoft.network/virtualNetworks"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "e3de1cc0-f4dd-3b34-e496-8b5381ba2d70",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a7aca53f-2ed4-4466-a25e-0b45ade68efd"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 14 IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Defender for App Service should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.",
    "metadata": {
      "version": "1.0.3",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "AppServices",
          "existenceScope": "subscription",
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2913021d-f2fd-4f3d-b958-22354e2bdbcb"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Defender for Azure SQL Database servers should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.",
    "metadata": {
      "version": "1.0.2",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "SqlServers",
          "existenceScope": "subscription",
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7fe3b40f-802b-4cdd-8bd4-fd799c948cc2"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Defender for container registries should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.",
    "metadata": {
      "version": "1.0.3",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "ContainerRegistry",
          "existenceScope": "subscription",
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c25d9a16-bc35-4e15-a7e5-9db606bf9ed4"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Defender for Key Vault should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.",
    "metadata": {
      "version": "1.0.3",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "KeyVaults",
          "existenceScope": "subscription",
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0e6763cc-5078-4e64-889d-ff4d9a839047"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Defender for Kubernetes should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.",
    "metadata": {
      "version": "1.0.3",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "KubernetesService",
          "existenceScope": "subscription",
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "523b5cd1-3e23-492f-a539-13118b6d1e3a"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Defender for open-source relational databases should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "OpenSourceRelationalDatabases",
          "existenceScope": "subscription",
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0a9fbe0d-c5c4-4da8-87d8-f4fd77338835"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Defender for Resource Manager should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "Arm",
          "existenceScope": "subscription",
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c3d20c29-b36d-48fe-808b-99a87530ad99"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Defender for servers should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.",
    "metadata": {
      "version": "1.0.3",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "VirtualMachines",
          "existenceScope": "subscription",
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4da35fc9-c9e7-4960-aec9-797fe7d9051d"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Defender for SQL servers on machines should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.",
    "metadata": {
      "version": "1.0.2",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "SqlServerVirtualMachines",
          "existenceScope": "subscription",
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6581d072-105e-4418-827f-bd446d56421b"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit SQL servers without Advanced Data Security",
    "metadata": {
      "version": "2.0.1",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "field": "kind",
            "notContains": "analytics"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/securityAlertPolicies",
          "name": "Default",
          "existenceCondition": {
            "field": "Microsoft.Sql/servers/securityAlertPolicies/state",
            "equals": "Enabled"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 17 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit each SQL Managed Instance without advanced data security.",
    "metadata": {
      "version": "1.0.2",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/managedInstances"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/managedInstances/securityAlertPolicies",
          "name": "Default",
          "existenceCondition": {
            "field": "Microsoft.Sql/managedInstances/securityAlertPolicies/state",
            "equals": "Enabled"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 17 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Defender for Storage should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.",
    "metadata": {
      "version": "1.0.3",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "StorageAccounts",
          "existenceScope": "subscription",
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "308fbb08-4ab8-4e67-9b29-592e93fb94fa"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Edge Hardware Center devices should have double encryption support enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption.",
    "metadata": {
      "version": "1.0.0",
      "category": "Azure Edge Hardware Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The desired effect of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.EdgeOrder/orderItems"
          },
          {
            "field": "Microsoft.EdgeOrder/orderItems/orderItemDetails.preferences.encryptionPreferences.doubleEncryptionStatus",
            "notEquals": "Enabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/08a6b96f-576e-47a2-8511-119a212d344d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "08a6b96f-576e-47a2-8511-119a212d344d"
}
BuiltIn Azure Edge Hardware Center False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Event Grid domains should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints.",
    "metadata": {
      "version": "1.0.0",
      "category": "Event Grid"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.EventGrid/domains"
          },
          {
            "field": "Microsoft.EventGrid/domains/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f8f774be-6aee-492a-9e29-486ef81f3a68"
}
BuiltIn Event Grid False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Event Grid domains should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.",
    "metadata": {
      "version": "1.0.2",
      "category": "Event Grid"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.EventGrid/domains"
          },
          {
            "count": {
              "field": "Microsoft.EventGrid/domains/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.EventGrid/domains/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9830b652-8523-49cc-b1b3-e17dce1127ca"
}
BuiltIn Event Grid False False n/a n/a Audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Event Grid topics should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints.",
    "metadata": {
      "version": "1.0.0",
      "category": "Event Grid"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.EventGrid/topics"
          },
          {
            "field": "kind",
            "notEquals": "AzureArc"
          },
          {
            "field": "Microsoft.EventGrid/topics/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1adadefe-5f21-44f7-b931-a59b54ccdb45"
}
BuiltIn Event Grid False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Event Grid topics should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.",
    "metadata": {
      "version": "1.0.2",
      "category": "Event Grid"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.EventGrid/topics"
          },
          {
            "field": "kind",
            "notEquals": "AzureArc"
          },
          {
            "count": {
              "field": "Microsoft.EventGrid/topics/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.EventGrid/topics/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4b90e17e-8448-49db-875e-bd83fb6f804f"
}
BuiltIn Event Grid False False n/a n/a Audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure File Sync should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.StorageSync/storageSyncServices"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.StorageSync/storageSyncServices/privateEndpointConnections",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.StorageSync/storageSyncServices/privateEndpointConnections/privateEndpoint",
                "exists": "true"
              },
              {
                "field": "Microsoft.StorageSync/storageSyncServices/privateEndpointConnections/provisioningState",
                "equals": "Succeeded"
              },
              {
                "field": "Microsoft.StorageSync/storageSyncServices/privateEndpointConnections/privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1d320205-c6a1-4ac6-873d-46224024e8e2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1d320205-c6a1-4ac6-873d-46224024e8e2"
}
BuiltIn Storage False False n/a n/a AuditIfNotExists false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure HDInsight clusters should be injected into a virtual network",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Injecting Azure HDInsight clusters in a virtual network unlocks advanced HDInsight networking and security features and provides you with control over your network security configuration.",
    "metadata": {
      "version": "1.0.0",
      "category": "HDInsight"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.HDInsight/clusters"
          },
          {
            "count": {
              "field": "Microsoft.HDInsight/clusters/computeProfile.roles[*]",
              "where": {
                "anyOf": [
                  {
                    "field": "Microsoft.HDInsight/clusters/computeProfile.roles[*].virtualNetworkProfile.id",
                    "exists": false
                  },
                  {
                    "field": "Microsoft.HDInsight/clusters/computeProfile.roles[*].virtualNetworkProfile.subnet",
                    "exists": false
                  }
                ]
              }
            },
            "greater": 0
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b0ab5b05-1c98-40f7-bb9e-dc568e41b501",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b0ab5b05-1c98-40f7-bb9e-dc568e41b501"
}
BuiltIn HDInsight False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure HDInsight clusters should use customer-managed keys to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk.",
    "metadata": {
      "version": "1.0.1",
      "category": "HDInsight"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.HDInsight/clusters"
          },
          {
            "field": "Microsoft.HDInsight/clusters/diskEncryptionProperties.keyName",
            "exists": false
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/64d314f6-6062-4780-a861-c23e8951bee5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "64d314f6-6062-4780-a861-c23e8951bee5"
}
BuiltIn HDInsight False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure HDInsight clusters should use encryption at host to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service.",
    "metadata": {
      "version": "1.0.0",
      "category": "HDInsight"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.HDInsight/clusters"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.HDInsight/clusters/diskEncryptionProperties.encryptionAtHost",
                "exists": false
              },
              {
                "field": "Microsoft.HDInsight/clusters/diskEncryptionProperties.encryptionAtHost",
                "equals": false
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6"
}
BuiltIn HDInsight False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission.",
    "metadata": {
      "version": "1.0.0",
      "category": "HDInsight"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.HDInsight/clusters"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.HDInsight/clusters/encryptionInTransitProperties.isEncryptionInTransitEnabled",
                "exists": false
              },
              {
                "field": "Microsoft.HDInsight/clusters/encryptionInTransitProperties.isEncryptionInTransitEnabled",
                "equals": false
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d9da03a1-f3c3-412a-9709-947156872263",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d9da03a1-f3c3-412a-9709-947156872263"
}
BuiltIn HDInsight False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Key Vault Managed HSM should have purge protection enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period.",
    "metadata": {
      "version": "1.0.0",
      "category": "Key Vault"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/managedHsms"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.KeyVault/managedHsms/enableSoftDelete",
                "notEquals": "true"
              },
              {
                "field": "Microsoft.KeyVault/managedHsms/enablePurgeProtection",
                "notEquals": "true"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c39ba22d-4428-4149-b981-70acb31fc383"
}
BuiltIn Key Vault False False n/a n/a Audit false 0 n/a true 3 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a) n/a
{
  "properties": {
    "displayName": "Azure Kubernetes Service Clusters should have local authentication methods disabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts.",
    "metadata": {
      "version": "1.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerService/managedClusters"
          },
          {
            "field": "Microsoft.ContainerService/managedClusters/disableLocalAccounts",
            "notEquals": true
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "993c2fcd-2b29-49d2-9eb0-df2c3a730c32"
}
BuiltIn Kubernetes False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Kubernetes Service Private Clusters should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards.",
    "metadata": {
      "version": "1.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerService/managedClusters"
          },
          {
            "field": "Microsoft.ContainerService/managedClusters/apiServerAccessProfile.enablePrivateCluster",
            "notEquals": true
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "040732e8-d947-40b8-95d6-854c95024bf8"
}
BuiltIn Kubernetes False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keys",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Ensure that Azure Log Search Alerts are implementing customer-managed keys, by storing the query text using the storage account that the customer had provided for the queried Log Analytics workspace. For more information, visit https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Insights/scheduledqueryrules"
          },
          {
            "field": "Microsoft.Insights/scheduledqueryrules/checkWorkspaceAlertsStorageConfigured",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/94c1f94d-33b0-4062-bd04-1cdc3e7eece2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "94c1f94d-33b0-4062-bd04-1cdc3e7eece2"
}
BuiltIn Monitoring False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Machine Learning workspaces should be encrypted with a customer-managed key",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk.",
    "metadata": {
      "version": "1.0.3",
      "category": "Machine Learning"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.MachineLearningServices/workspaces"
          },
          {
            "not": {
              "field": "Microsoft.MachineLearningServices/workspaces/encryption.status",
              "equals": "enabled"
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ba769a63-b8cc-4b2d-abf6-ac33c7204be8"
}
BuiltIn Machine Learning False False n/a n/a Audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Machine Learning workspaces should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.",
    "metadata": {
      "version": "1.1.0",
      "category": "Machine Learning"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.MachineLearningServices/workspaces"
          },
          {
            "count": {
              "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "40cec1dd-a100-4920-b15b-3024fe8901ab"
}
BuiltIn Machine Learning False False n/a n/a Audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Machine Learning workspaces should use user-assigned managed identity",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. Learn more at https://docs.microsoft.com/azure/machine-learning/how-to-use-managed-identities?tabs=python.",
    "metadata": {
      "version": "1.0.0",
      "category": "Machine Learning"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.MachineLearningServices/workspaces"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.MachineLearningServices/workspaces/primaryUserAssignedIdentity",
                "exists": false
              },
              {
                "field": "Microsoft.MachineLearningServices/workspaces/primaryUserAssignedIdentity",
                "equals": ""
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5f0c7d88-c7de-45b8-ac49-db49e72eaa78"
}
BuiltIn Machine Learning False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Media Services accounts should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that Media Services resources are not exposed on the public internet. Creating private endpoints can limit exposure of Media Services resources. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs.",
    "metadata": {
      "version": "1.0.0",
      "category": "Media Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Media/mediaservices"
          },
          {
            "field": "Microsoft.Media/mediaservices/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8bfe3603-0888-404a-87ff-5c1b6b4cc5e3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8bfe3603-0888-404a-87ff-5c1b6b4cc5e3"
}
BuiltIn Media Services False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Media Services accounts should use an API that supports Private Link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Media Services accounts should be created with an API that supports private link.",
    "metadata": {
      "version": "1.0.0",
      "category": "Media Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Media/mediaservices"
          },
          {
            "field": "Microsoft.Media/mediaservices/encryption.type",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a77d8bb4-8d22-4bc1-a884-f582a705b480",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a77d8bb4-8d22-4bc1-a884-f582a705b480"
}
BuiltIn Media Services False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Media Services accounts that allow access to the legacy v2 API should be blocked",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "The Media Services legacy v2 API allows requests that cannot be managed using Azure Policy. Media Services resources created using the 2020-05-01 API or later block access to the legacy v2 API.",
    "metadata": {
      "version": "1.0.0",
      "category": "Media Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Media/mediaservices"
          },
          {
            "field": "Microsoft.Media/mediaservices/encryption.type",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ccf93279-9c91-4143-a841-8d1f21505455",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ccf93279-9c91-4143-a841-8d1f21505455"
}
BuiltIn Media Services False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Media Services content key policies should use token authentication",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Content key policies define the conditions that must be met to access content keys. A token restriction ensures content keys can only be accessed by users that have valid tokens from an authentication service, for example Azure Active Directory.",
    "metadata": {
      "version": "1.0.0",
      "category": "Media Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "openIdConnectDiscoveryDocument": {
        "type": "String",
        "metadata": {
          "displayName": "OpenID Connect discovery document",
          "description": "The permitted OpenID Connect discovery document. When using Azure Active Directory, this would be similar to 'https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration', where {tenantId} is replaced with the tenant (directory) ID."
        }
      },
      "issuer": {
        "type": "String",
        "metadata": {
          "displayName": "Issuer",
          "description": "The permitted token issuer. When using Azure Active Directory, this would be similar to 'https://sts.windows.net/{tenantId}/', where {tenantId} is replaced with the tenant (directory) ID."
        }
      },
      "audience": {
        "type": "String",
        "metadata": {
          "displayName": "Audience",
          "description": "The permitted token audience. When using Azure Active Directory, this is the Application ID URI of the resource application."
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Media/mediaservices/contentKeyPolicies"
          },
          {
            "count": {
              "field": "Microsoft.Media/mediaServices/contentKeyPolicies/options[*]",
              "where": {
                "not": {
                  "allOf": [
                    {
                      "field": "Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction",
                      "exists": "true"
                    },
                    {
                      "field": "Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.restrictionTokenType",
                      "matchInsensitively": "Jwt"
                    },
                    {
                      "field": "Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.openIdConnectDiscoveryDocument",
                      "like": "[parameters('openIdConnectDiscoveryDocument')]"
                    },
                    {
                      "field": "Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.issuer",
                      "like": "[parameters('issuer')]"
                    },
                    {
                      "field": "Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.audience",
                      "like": "[parameters('audience')]"
                    }
                  ]
                }
              }
            },
            "greater": 0
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/daccf7e4-9808-470c-a848-1c5b582a1afb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "daccf7e4-9808-470c-a848-1c5b582a1afb"
}
BuiltIn Media Services False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Restrict HTTPS inputs used by Media Services jobs to known endpoints. Inputs from HTTPS endpoints can be disabled entirely by setting an empty list of allowed job input patterns. Where job inputs specify a 'baseUri' the patterns will be matched against this value; when 'baseUri' is not set, the pattern is matched against the 'files' property.",
    "metadata": {
      "version": "1.0.1",
      "category": "Media Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      },
      "allowedJobInputHttpUriPatterns": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed job input HTTPS URI patterns",
          "description": "Permitted URI patterns for HTTPS job inputs, for example [ 'https://store.contoso.com/media1/*', 'https://store.contoso.com/media2/*' ] or [ ] to block all HTTPS job inputs. URI patterns may contain a single asterisk which should be at the end of the URI to allow any file for a given URI prefix."
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Media/mediaservices/transforms/jobs"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputHttp.baseUri",
                    "exists": "true"
                  },
                  {
                    "count": {
                      "value": "[parameters('allowedJobInputHttpUriPatterns')]",
                      "name": "pattern",
                      "where": {
                        "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputHttp.baseUri",
                        "like": "[current('pattern')]"
                      }
                    },
                    "equals": 0
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputHttp.baseUri",
                    "exists": "false"
                  },
                  {
                    "count": {
                      "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputClip.files[*]",
                      "where": {
                        "count": {
                          "value": "[parameters('allowedJobInputHttpUriPatterns')]",
                          "name": "pattern",
                          "where": {
                            "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputClip.files[*]",
                            "like": "[current('pattern')]"
                          }
                        },
                        "equals": 0
                      }
                    },
                    "greater": 0
                  }
                ]
              },
              {
                "count": {
                  "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri",
                            "exists": "true"
                          },
                          {
                            "count": {
                              "value": "[parameters('allowedJobInputHttpUriPatterns')]",
                              "name": "pattern",
                              "where": {
                                "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri",
                                "like": "[current('pattern')]"
                              }
                            },
                            "equals": 0
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri",
                            "exists": "false"
                          },
                          {
                            "count": {
                              "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputClip.files[*]",
                              "where": {
                                "count": {
                                  "value": "[parameters('allowedJobInputHttpUriPatterns')]",
                                  "name": "pattern",
                                  "where": {
                                    "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputClip.files[*]",
                                    "like": "[current('pattern')]"
                                  }
                                },
                                "equals": 0
                              }
                            },
                            "greater": 0
                          }
                        ]
                      }
                    ]
                  }
                },
                "greater": 0
              },
              {
                "count": {
                  "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri",
                            "exists": "true"
                          },
                          {
                            "count": {
                              "value": "[parameters('allowedJobInputHttpUriPatterns')]",
                              "name": "pattern",
                              "where": {
                                "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri",
                                "like": "[current('pattern')]"
                              }
                            },
                            "equals": 0
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri",
                            "exists": "false"
                          },
                          {
                            "count": {
                              "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputClip.files[*]",
                              "where": {
                                "count": {
                                  "value": "[parameters('allowedJobInputHttpUriPatterns')]",
                                  "name": "pattern",
                                  "where": {
                                    "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputClip.files[*]",
                                    "like": "[current('pattern')]"
                                  }
                                },
                                "equals": 0
                              }
                            },
                            "greater": 0
                          }
                        ]
                      }
                    ]
                  }
                },
                "greater": 0
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e9914afe-31cd-4b8a-92fa-c887f847d477",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e9914afe-31cd-4b8a-92fa-c887f847d477"
}
BuiltIn Media Services False False n/a n/a Deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Media Services should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs.",
    "metadata": {
      "version": "1.0.0",
      "category": "Media Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Media/mediaservices"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Media/mediaservices/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Media/mediaservices/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4a591bf5-918e-4a5f-8dad-841863140d61",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4a591bf5-918e-4a5f-8dad-841863140d61"
}
BuiltIn Media Services False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action'",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/logprofiles",
          "existenceCondition": {
            "allOf": [
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/categories[*]",
                  "notEquals": "Write"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/categories[*]",
                  "notEquals": "Delete"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/categories[*]",
                  "notEquals": "Action"
                }
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1a4e592a-6a6e-44a5-9814-e36264ca96e7"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a true 4 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.OperationalInsights/clusters"
          },
          {
            "not": {
              "field": "Microsoft.OperationalInsights/clusters/isDoubleEncryptionEnabled",
              "equals": "true"
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ea0dfaed-95fb-448c-934e-d6e713ce393d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ea0dfaed-95fb-448c-934e-d6e713ce393d"
}
BuiltIn Monitoring False False n/a n/a audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Monitor Logs clusters should be encrypted with customer-managed key",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.OperationalInsights/clusters"
          },
          {
            "anyOf": [
              {
                "anyOf": [
                  {
                    "field": "Microsoft.OperationalInsights/clusters/keyVaultProperties.keyVaultUri",
                    "equals": ""
                  },
                  {
                    "field": "Microsoft.OperationalInsights/clusters/keyVaultProperties.keyVaultUri",
                    "exists": "false"
                  }
                ]
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.OperationalInsights/clusters/keyVaultProperties.keyName",
                    "equals": ""
                  },
                  {
                    "field": "Microsoft.OperationalInsights/clusters/keyVaultProperties.keyName",
                    "exists": "false"
                  }
                ]
              },
              {
                "not": {
                  "field": "Microsoft.OperationalInsights/clusters/keyVaultProperties.keyVersion",
                  "exists": "true"
                }
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1f68a601-6e6d-4e42-babf-3f643a047ea2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1f68a601-6e6d-4e42-babf-3f643a047ea2"
}
BuiltIn Monitoring False False n/a n/a audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Insights/components"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Insights/components/WorkspaceResourceId",
                "equals": ""
              },
              {
                "field": "Microsoft.Insights/components/WorkspaceResourceId",
                "exists": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d550e854-df1a-4de9-bf44-cd894b39a95e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d550e854-df1a-4de9-bf44-cd894b39a95e"
}
BuiltIn Monitoring False False n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Monitor should collect activity logs from all regions",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/logProfiles",
          "existenceCondition": {
            "allOf": [
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "australiacentral"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "australiacentral2"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "australiaeast"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "australiasoutheast"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "brazilsouth"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "brazilsoutheast"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "canadacentral"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "canadaeast"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "centralindia"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "centralus"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "eastasia"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "eastus"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "eastus2"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "francecentral"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "francesouth"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "germanynorth"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "germanywestcentral"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "japaneast"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "japanwest"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "jioindiawest"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "koreacentral"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "koreasouth"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "northcentralus"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "northeurope"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "norwayeast"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "norwaywest"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "southafricanorth"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "southafricawest"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "southcentralus"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "southeastasia"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "southindia"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "switzerlandnorth"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "switzerlandwest"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "uaecentral"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "uaenorth"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "uksouth"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "ukwest"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "westcentralus"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "westeurope"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "westindia"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "westus"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "westus2"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "westus3"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Insights/logProfiles/locations[*]",
                  "notEquals": "global"
                }
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "41388f1c-2db0-4c25-95b2-35d7f5ccbfa9"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a true 4 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "Azure Monitor solution 'Security and Audit' must be deployed",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy ensures that Security and Audit is deployed.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.OperationsManagement/solutions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.OperationsManagement/solutions/provisioningState",
                "equals": "Succeeded"
              },
              {
                "field": "name",
                "like": "Security(*)"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3e596b57-105f-48a6-be97-03e9243bad6e"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.",
    "metadata": {
      "version": "1.0.2",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerService/managedClusters"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.ContainerService/managedClusters/addonProfiles.azurePolicy.enabled",
                "exists": "false"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/addonProfiles.azurePolicy.enabled",
                "equals": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0a15ec92-a229-4763-bb14-0ea34a568f8d"
}
BuiltIn Kubernetes False False n/a n/a Audit false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Service Bus namespaces should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service.",
    "metadata": {
      "version": "1.0.0",
      "category": "Service Bus"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ServiceBus/namespaces"
          },
          {
            "field": "Microsoft.ServiceBus/namespaces/sku.tier",
            "equals": "Premium"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.ServiceBus/namespaces/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.ServiceBus/namespaces/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1c06e275-d63d-4540-b761-71f364c2111d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1c06e275-d63d-4540-b761-71f364c2111d"
}
BuiltIn Service Bus False False n/a n/a AuditIfNotExists false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure SignalR Service should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.",
    "metadata": {
      "version": "1.0.0",
      "category": "SignalR"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.SignalRService/SignalR"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.SignalRService/SignalR/networkACLs.defaultAction",
                "equals": "Allow"
              },
              {
                "field": "Microsoft.SignalRService/SignalR/networkACLs.publicNetwork.allow",
                "exists": false
              },
              {
                "count": {
                  "field": "Microsoft.SignalRService/SignalR/networkACLs.publicNetwork.allow[*]"
                },
                "greater": 0
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/21a9766a-82a5-4747-abb5-650b6dbba6d0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "21a9766a-82a5-4747-abb5-650b6dbba6d0"
}
BuiltIn SignalR False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure SignalR Service should have local authentication methods disabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling local authentication methods improves security by ensuring that Azure SignalR Service exclusively require Azure Active Directory identities for authentication.",
    "metadata": {
      "version": "1.0.0",
      "category": "SignalR"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.SignalRService/SignalR"
          },
          {
            "field": "Microsoft.SignalRService/SignalR/disableLocalAuth",
            "notEquals": true
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f70eecba-335d-4bbc-81d5-5b17b03d498f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f70eecba-335d-4bbc-81d5-5b17b03d498f"
}
BuiltIn SignalR False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure SignalR Service should use a Private Link enabled SKU",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination which protect your resources against public data leakage risks. The policy limits you to Private Link enabled SKUs for Azure SignalR Service. Learn more about private link at: https://aka.ms/asrs/privatelink.",
    "metadata": {
      "version": "1.0.0",
      "category": "SignalR"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.SignalRService/SignalR"
          },
          {
            "field": "Microsoft.SignalRService/SignalR/sku.tier",
            "equals": "Free"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/464a1620-21b5-448d-8ce6-d4ac6d1bc49a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "464a1620-21b5-448d-8ce6-d4ac6d1bc49a"
}
BuiltIn SignalR False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure SignalR Service should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink.",
    "metadata": {
      "version": "1.0.1",
      "category": "SignalR"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.SignalRService/SignalR"
          },
          {
            "count": {
              "field": "Microsoft.SignalRService/SignalR/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.SignalRService/SignalR/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "53503636-bcc9-4748-9663-5348217f160f"
}
BuiltIn SignalR False False n/a n/a Audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Spring Cloud should use network injection",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Platform"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "evaluatedSkuNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Spring Cloud SKU Names",
          "description": "List of Azure Spring Cloud SKUs against which this policy will be evaluated."
        },
        "allowedValues": [
          "Standard"
        ],
        "defaultValue": [
          "Standard"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.AppPlatform/Spring"
          },
          {
            "field": "Microsoft.AppPlatform/Spring/sku.tier",
            "in": "[parameters('evaluatedSkuNames')]"
          },
          {
            "field": "Microsoft.AppPlatform/Spring/networkProfile.serviceRuntimeSubnetId",
            "exists": false
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "af35e2a4-ef96-44e7-a9ae-853dd97032c4"
}
BuiltIn App Platform False False n/a n/a Audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure SQL Database should have Azure Active Directory Only Authentication enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Databases can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "value": "[resourcegroup().managedBy]",
            "notContains": "/providers/Microsoft.Synapse/"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Sql/servers/administrators.azureADOnlyAuthentication",
                "exists": false
              },
              {
                "field": "Microsoft.Sql/servers/administrators.azureADOnlyAuthentication",
                "equals": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "abda6d70-9778-44e7-84a8-06713e6db027"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure SQL Database should have the minimal TLS version of 1.2",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.",
    "metadata": {
      "version": "1.0.1",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Sql/servers/minimalTlsVersion",
                "exists": false
              },
              {
                "field": "Microsoft.Sql/servers/minimalTlsVersion",
                "notEquals": "1.2"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "32e6bbec-16b6-44c2-be37-c5b672d103cf"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure SQL Managed Instance should have Azure Active Directory Only Authentication enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Managed Instances can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/managedInstances"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Sql/managedInstances/administrators.azureADOnlyAuthentication",
                "exists": false
              },
              {
                "field": "Microsoft.Sql/managedInstances/administrators.azureADOnlyAuthentication",
                "equals": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "78215662-041e-49ed-a9dd-5385911b3a1f"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Stack Edge devices should use double-encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device.",
    "metadata": {
      "version": "1.0.0",
      "category": "Azure Stack Edge"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The desired effect of the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DataBoxEdge/DataBoxEdgeDevices"
          },
          {
            "field": "Microsoft.DataboxEdge/DataBoxEdgeDevices/sku.name",
            "notIn": [
              "TEA_1Node",
              "TEA_1Node_UPS",
              "TEA_1Node_Heater",
              "TEA_1Node_UPS_Heater",
              "TEA_4Node_Heater",
              "TEA_4Node_UPS_Heater",
              "TMA",
              "EdgePR_Base",
              "EdgePR_Base_UPS",
              "EdgeMR_Mini"
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b4ac1030-89c5-4697-8e00-28b5ba6a8811",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b4ac1030-89c5-4697-8e00-28b5ba6a8811"
}
BuiltIn Azure Stack Edge False False n/a n/a audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Stream Analytics jobs should use customer-managed keys to encrypt data",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.",
    "metadata": {
      "version": "1.0.0",
      "category": "Stream Analytics"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The desired effect of the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "Microsoft.StreamAnalytics/streamingJobs/contentStoragePolicy",
            "equals": "SystemAccount"
          },
          {
            "field": "type",
            "equals": "Microsoft.StreamAnalytics/streamingJobs"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "87ba29ef-1ab3-4d82-b763-87fcd4f531f7"
}
BuiltIn Stream Analytics False False n/a n/a audit false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure subscriptions should have a log profile for Activity Log",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/logProfiles",
          "existenceCondition": {
            "field": "Microsoft.Insights/logProfiles/categories",
            "exists": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7796937f-307b-4598-941c-67d3a05ebfe7"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a true 2 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "Azure Synapse workspaces should allow outbound data traffic only to approved targets",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Increase security of your Synapse workspace by allowing outbound data traffic only to approved targets. This helps prevention against data exfiltration by validating the target before sending data.",
    "metadata": {
      "version": "1.0.0",
      "category": "Synapse"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Synapse/workspaces"
          },
          {
            "field": "Microsoft.Synapse/workspaces/managedVirtualNetworkSettings.preventDataExfiltration",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3484ce98-c0c5-4c83-994b-c5ac24785218"
}
BuiltIn Synapse False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Synapse workspaces should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that the Synapse workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your Synapse workspaces. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings.",
    "metadata": {
      "version": "1.0.0",
      "category": "Synapse"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Synapse/workspaces"
          },
          {
            "field": "Microsoft.Synapse/workspaces/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "38d8df46-cf4e-4073-8e03-48c24b29de0d"
}
BuiltIn Synapse False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Synapse workspaces should use customer-managed keys to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.",
    "metadata": {
      "version": "1.0.0",
      "category": "Synapse"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Synapse/workspaces"
          },
          {
            "field": "Microsoft.Synapse/workspaces/encryption.cmk.key.name",
            "exists": false
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f7d52b2d-e161-4dfa-a82b-55e564167385"
}
BuiltIn Synapse False False n/a n/a Audit false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure Synapse workspaces should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links.",
    "metadata": {
      "version": "1.0.1",
      "category": "Synapse"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Synapse/workspaces"
          },
          {
            "count": {
              "field": "Microsoft.Synapse/workspaces/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.Synapse/workspaces/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/72d11df1-dd8a-41f7-8925-b05b960ebafc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "72d11df1-dd8a-41f7-8925-b05b960ebafc"
}
BuiltIn Synapse False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Azure VPN gateways should not use 'basic' SKU",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy ensures that VPN gateways do not use 'basic' SKU.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/virtualNetworkGateways"
          },
          {
            "field": "Microsoft.Network/virtualNetworkGateways/gatewayType",
            "equals": "Vpn"
          },
          {
            "field": "Microsoft.Network/virtualNetworkGateways/sku.tier",
            "equals": "Basic"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e345b6c3-24bd-4c93-9bbb-7e5e49a17b78",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e345b6c3-24bd-4c93-9bbb-7e5e49a17b78"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Web PubSub Service should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that Azure Web PubSub service isn't exposed on the public internet. Creating private endpoints can limit exposure of Azure Web PubSub service. Learn more at: https://aka.ms/awps/networkacls.",
    "metadata": {
      "version": "1.0.0",
      "category": "Web PubSub"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.SignalRService/webPubSub"
          },
          {
            "field": "Microsoft.SignalRService/webPubSub/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bf45113f-264e-4a87-88f9-29ac8a0aca6a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bf45113f-264e-4a87-88f9-29ac8a0aca6a"
}
BuiltIn Web PubSub False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Web PubSub Service should use a SKU that supports private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "With supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink.",
    "metadata": {
      "version": "1.0.0",
      "category": "Web PubSub"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.SignalRService/webPubSub"
          },
          {
            "field": "Microsoft.SignalRService/webPubSub/sku.tier",
            "equals": "Free"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/82909236-25f3-46a6-841c-fe1020f95ae1",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "82909236-25f3-46a6-841c-fe1020f95ae1"
}
BuiltIn Web PubSub False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Azure Web PubSub Service should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink.",
    "metadata": {
      "version": "1.0.0",
      "category": "Web PubSub"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.SignalRService/webPubSub"
          },
          {
            "count": {
              "field": "Microsoft.SignalRService/webPubSub/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.SignalRService/webPubSub/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/52630df9-ca7e-442b-853b-c6ce548b31a2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "52630df9-ca7e-442b-853b-c6ce548b31a2"
}
BuiltIn Web PubSub False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Batch accounts should have local authentication methods disabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling local authentication methods improves security by ensuring that Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth.",
    "metadata": {
      "version": "1.0.0",
      "category": "Batch"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Batch/batchAccounts"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Batch/batchAccounts/allowedAuthenticationModes",
                "exists": "false"
              },
              {
                "count": {
                  "field": "Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*]",
                  "where": {
                    "not": {
                      "field": "Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*]",
                      "equals": "AAD"
                    }
                  }
                },
                "greater": 0
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6f68b69f-05fe-49cd-b361-777ee9ca7e35",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6f68b69f-05fe-49cd-b361-777ee9ca7e35"
}
BuiltIn Batch False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Bot Service endpoint should be a valid HTTPS URI",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines.",
    "metadata": {
      "version": "1.0.1",
      "category": "Bot Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The desired effect of the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.BotService/botServices"
          },
          {
            "field": "Microsoft.BotService/botServices/endpoint",
            "notLike": "https://*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6164527b-e1ee-4882-8673-572f425f5e0a"
}
BuiltIn Bot Service False False n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Bot Service should be encrypted with a customer-managed key",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption.",
    "metadata": {
      "version": "1.0.0",
      "category": "Bot Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The desired effect of the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.BotService/botServices"
          },
          {
            "field": "Microsoft.BotService/botServices/isCmekEnabled",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "51522a96-0869-4791-82f3-981000c2c67f"
}
BuiltIn Bot Service False False n/a n/a audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Bot Service should have isolated mode enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled.",
    "metadata": {
      "version": "1.0.0",
      "category": "Bot Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The desired effect of the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.BotService/botServices"
          },
          {
            "field": "Microsoft.BotService/botServices/isIsolated",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "52152f42-0dda-40d9-976e-abb1acdd611e"
}
BuiltIn Bot Service False False n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.",
    "metadata": {
      "version": "1.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerService/managedClusters"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.ContainerService/managedClusters/diskEncryptionSetID",
                "exists": "False"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/diskEncryptionSetID",
                "equals": ""
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7d7be79c-23ba-4033-84dd-45e2a5ccdd67"
}
BuiltIn Kubernetes False False n/a n/a Audit false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Cloud Services (extended support) role instances should be configured securely",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Protect your Cloud Service (extended support) role instances from attacks by ensuring they are not expolosed to any OS vulnerabilities.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/cloudServices"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "8941d121-f740-35f6-952c-6561d2b38d36",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a0c11ca4-5828-4384-a2f2-fd7444dd5b4d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a0c11ca4-5828-4384-a2f2-fd7444dd5b4d"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Cloud Services (extended support) role instances should have an endpoint protection solution installed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Protect your Cloud Services (extended support) role instances from threats and vulnerabilities by ensuring an endpoint protection solution is installed on them.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/cloudServices"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "e71020c2-860c-3235-cd39-04f3f8c936d2",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1e378679-f122-4a96-a739-a7729c46e1aa",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1e378679-f122-4a96-a739-a7729c46e1aa"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Cloud Services (extended support) role instances should have system updates installed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Secure your Cloud Services (extended support) role instances by ensuring the latest security and critical updates are installed on them.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/cloudServices"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "bd20bd91-aaf1-7f14-b6e4-866de2f43146",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4df26ba8-026d-45b0-9521-bffa44d741d2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4df26ba8-026d-45b0-9521-bffa44d741d2"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Cognitive Services accounts should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. ",
    "metadata": {
      "version": "1.0.1",
      "category": "Cognitive Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.CognitiveServices/accounts"
          },
          {
            "field": "Microsoft.CognitiveServices/accounts/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0725b4dd-7e76-479c-a735-68e7ee23d5ca"
}
BuiltIn Cognitive Services False False n/a n/a Audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321.",
    "metadata": {
      "version": "2.0.0",
      "category": "Cognitive Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.CognitiveServices/accounts"
          },
          {
            "field": "Microsoft.CognitiveServices/accounts/encryption.keySource",
            "notEquals": "Microsoft.KeyVault"
          },
          {
            "count": {
              "field": "Microsoft.CognitiveServices/accounts/capabilities[*]",
              "where": {
                "field": "Microsoft.CognitiveServices/accounts/capabilities[*].name",
                "equals": "CustomerManagedKey"
              }
            },
            "greater": 0
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "67121cc7-ff39-4ab8-b7e3-95b84dab487d"
}
BuiltIn Cognitive Services False False n/a n/a Audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Cognitive Services accounts should have local authentication methods disabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cognitive Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.CognitiveServices/accounts"
          },
          {
            "field": "Microsoft.CognitiveServices/accounts/disableLocalAuth",
            "notEquals": true
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "71ef260a-8f18-47b7-abcb-62d0673d94dc"
}
BuiltIn Cognitive Services False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Cognitive Services accounts should restrict network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cognitive Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.CognitiveServices/accounts"
          },
          {
            "field": "Microsoft.CognitiveServices/accounts/networkAcls.defaultAction",
            "notEquals": "Deny"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "037eea7a-bd0a-46c5-9a66-03aea78705d3"
}
BuiltIn Cognitive Services False False n/a n/a Audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Cognitive Services accounts should use a managed identity",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Assigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cognitive Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.CognitiveServices/accounts"
          },
          {
            "anyOf": [
              {
                "field": "identity.type",
                "exists": "false"
              },
              {
                "field": "identity.type",
                "equals": "None"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "fe3fd216-4f83-4fc1-8984-2bbec80a3418"
}
BuiltIn Cognitive Services False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Cognitive Services accounts should use customer owned storage",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk.",
    "metadata": {
      "version": "2.0.0",
      "category": "Cognitive Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.CognitiveServices/accounts"
          },
          {
            "count": {
              "field": "Microsoft.CognitiveServices/accounts/userOwnedStorage[*]"
            },
            "less": 1
          },
          {
            "count": {
              "field": "Microsoft.CognitiveServices/accounts/capabilities[*]",
              "where": {
                "field": "Microsoft.CognitiveServices/accounts/capabilities[*].name",
                "equals": "CustomerManagedStorage"
              }
            },
            "greater": 0
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "46aa9b05-0e60-4eae-a88b-1e9d374fa515"
}
BuiltIn Cognitive Services False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Cognitive Services should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cognitive Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.CognitiveServices/accounts"
          },
          {
            "count": {
              "field": "Microsoft.CognitiveServices/accounts/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.CognitiveServices/accounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/cddd188c-4b82-4c48-a19d-ddf74ee66a01",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "cddd188c-4b82-4c48-a19d-ddf74ee66a01"
}
BuiltIn Cognitive Services False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforMariaDB/servers"
          },
          {
            "field": "Microsoft.DBforMariaDB/servers/sku.tier",
            "notContains": "basic"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforMariaDB/servers/securityAlertPolicies",
          "name": "Default",
          "existenceCondition": {
            "field": "Microsoft.DBforMariaDB/servers/securityAlertPolicies/Default.state",
            "equals": "Enabled"
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "serverName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "name": "[concat(parameters('serverName'), '/Default')]",
                    "type": "Microsoft.DBforMariaDB/servers/securityAlertPolicies",
                    "apiVersion": "2018-06-01",
                    "properties": {
                      "state": "Enabled",
                      "emailAccountAdmins": false
                    }
                  }
                ]
              },
              "parameters": {
                "serverName": {
                  "value": "[field('name')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a6cf7411-da9e-49e2-aec0-cba0250eaf8c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a6cf7411-da9e-49e2-aec0-cba0250eaf8c"
}
BuiltIn SQL False False n/a n/a DeployIfNotExists false 0 n/a true 1 Configure Advanced Threat Protection to be enabled on open-source relational databases (/providers/microsoft.authorization/policysetdefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforMySQL/servers"
          },
          {
            "field": "Microsoft.DBforMySQL/servers/sku.tier",
            "notContains": "basic"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforMySQL/servers/securityAlertPolicies",
          "name": "Default",
          "existenceCondition": {
            "field": "Microsoft.DBforMySQL/servers/securityAlertPolicies/Default.state",
            "equals": "Enabled"
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "serverName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "name": "[concat(parameters('serverName'), '/Default')]",
                    "type": "Microsoft.DBforMySQL/servers/securityAlertPolicies",
                    "apiVersion": "2017-12-01",
                    "properties": {
                      "state": "Enabled",
                      "emailAccountAdmins": false
                    }
                  }
                ]
              },
              "parameters": {
                "serverName": {
                  "value": "[field('name')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "80ed5239-4122-41ed-b54a-6f1fa7552816"
}
BuiltIn SQL False False n/a n/a DeployIfNotExists false 0 n/a true 1 Configure Advanced Threat Protection to be enabled on open-source relational databases (/providers/microsoft.authorization/policysetdefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforPostgreSQL/servers"
          },
          {
            "field": "Microsoft.DBforPostgreSQL/servers/sku.tier",
            "notContains": "basic"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforPostgreSQL/servers/securityAlertPolicies",
          "name": "Default",
          "existenceCondition": {
            "field": "Microsoft.DBforPostgreSQL/servers/securityAlertPolicies/Default.state",
            "equals": "Enabled"
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "serverName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "name": "[concat(parameters('serverName'), '/Default')]",
                    "type": "Microsoft.DBforPostgreSQL/servers/securityAlertPolicies",
                    "apiVersion": "2017-12-01",
                    "properties": {
                      "state": "Enabled",
                      "emailAccountAdmins": false
                    }
                  }
                ]
              },
              "parameters": {
                "serverName": {
                  "value": "[field('name')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "db048e65-913c-49f9-bb5f-1084184671d3"
}
BuiltIn SQL False False n/a n/a DeployIfNotExists false 0 n/a true 1 Configure Advanced Threat Protection to be enabled on open-source relational databases (/providers/microsoft.authorization/policysetdefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure App Configuration stores to disable local authentication methods",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable local authentication methods so that your App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Configuration"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.AppConfiguration/configurationStores"
          },
          {
            "field": "Microsoft.AppConfiguration/configurationStores/disableLocalAuth",
            "notEquals": true
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "audit",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "condition": "[greaterOrEquals(requestContext().apiVersion, '2021-03-01-preview')]",
              "operation": "addOrReplace",
              "field": "Microsoft.AppConfiguration/configurationStores/disableLocalAuth",
              "value": true
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/72bc14af-4ab8-43af-b4e4-38e7983f9a1f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "72bc14af-4ab8-43af-b4e4-38e7983f9a1f"
}
BuiltIn App Configuration False False n/a n/a Modify false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure App Configuration to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for App Configuration so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Configuration"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.AppConfiguration/configurationStores"
          },
          {
            "field": "Microsoft.AppConfiguration/configurationStores/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "conflictEffect": "audit",
          "operations": [
            {
              "condition": "[greater(requestContext().apiVersion, '2019-10-01')]",
              "operation": "addOrReplace",
              "field": "Microsoft.AppConfiguration/configurationStores/publicNetworkAccess",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/73290fa2-dfa7-4bbb-945d-a5e23b75df2c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "73290fa2-dfa7-4bbb-945d-a5e23b75df2c"
}
BuiltIn App Configuration False False n/a n/a Modify false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure App Services to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Web/sites"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/publicNetworkAccess",
            "equals": "Disabled"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "webAppName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "webAppName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('webAppName'), '/web')]",
                    "type": "Microsoft.Web/sites/config",
                    "apiVersion": "2020-09-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publicNetworkAccess": "Disabled"
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/81dff7c0-4020-4b58-955d-c076a2136b56",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "81dff7c0-4020-4b58-955d-c076a2136b56"
}
BuiltIn App Service False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Website Contributor' (de139f84-1756-47ae-9be6-808fbbe84772)
{
  "properties": {
    "displayName": "Configure App Services to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private Dns Zone Id",
          "description": "The private DNS zone to deploy in a new private DNS zone group and link to the private endpoint",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
              "where": {
                "allOf": [
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                    "contains": "Microsoft.Web/sites"
                  },
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                    "equals": "sites"
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "websites-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b318f84a-b872-429b-ac6d-a01b96814452"
}
BuiltIn App Service False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Association to link Linux virtual machines to Data Collection Rule",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy Association to link Linux virtual machine to specified Data Collection Rule. The list of OS images is updated over time as support is increased.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "listOfLinuxImageIdToInclude": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Linux OS to add to scope",
          "description": "Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "DcrResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Data Collection Rule Resource Id",
          "description": "Resource Id of the Data Collection Rule to be applied on the virtual machines in scope."
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "location",
            "in": [
              "australiacentral",
              "australiaeast",
              "australiasoutheast",
              "canadacentral",
              "centralindia",
              "centralus",
              "eastasia",
              "eastus2euap",
              "eastus",
              "eastus2",
              "francecentral",
              "germanywestcentral",
              "japaneast",
              "koreacentral",
              "northcentralus",
              "northeurope",
              "southafricanorth",
              "southcentralus",
              "southeastasia",
              "switzerlandnorth",
              "uksouth",
              "ukwest",
              "westcentralus",
              "westeurope",
              "westus",
              "westus2"
            ]
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imageId",
                "in": "[parameters('listOfLinuxImageIdToInclude')]"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "8*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "SLES",
                      "SLES-HPC",
                      "SLES-HPC-Priority",
                      "SLES-SAP",
                      "SLES-SAP-BYOS",
                      "SLES-Priority",
                      "SLES-BYOS",
                      "SLES-SAPCAL",
                      "SLES-Standard"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "15*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "14.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "16.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "18.04*LTS"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "0001-com-ubuntu-server-focal"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "20_04-lts*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Oracle"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Oracle-Linux"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "8*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "CentOS",
                      "Centos-LVM",
                      "CentOS-SRIOV"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "8*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "like": "7*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "credativ"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "debian"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "8"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "9"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Debian"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "debian-10"
                    ]
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "like": "10"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/dataCollectionRuleAssociations",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa"
          ],
          "existenceCondition": {
            "field": "Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId",
            "equals": "[parameters('DcrResourceId')]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "DcrResourceId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "associationName": "[concat('assoc-', uniqueString(parameters('DcrResourceId')))]"
                },
                "resources": [
                  {
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', variables('associationName'))]",
                    "type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations",
                    "location": "[parameters('location')]",
                    "apiVersion": "2019-11-01-preview",
                    "properties": {
                      "dataCollectionRuleId": "[parameters('DcrResourceId')]"
                    }
                  }
                ]
              },
              "parameters": {
                "resourceName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "DcrResourceId": {
                  "value": "[parameters('DcrResourceId')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2ea82cdd-f2e8-4500-af75-67a2e084ca74",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2ea82cdd-f2e8-4500-af75-67a2e084ca74"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a true 1 Configure Azure Monitor Agent to Linux virtual machines and associate to Data Collection Rule (/providers/microsoft.authorization/policysetdefinitions/118f04da-0375-44d1-84e3-0fd9e1849403) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa)
{
  "properties": {
    "displayName": "Configure Association to link Windows virtual machines to Data Collection Rule",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy Association to link Windows virtual machines to specified Data Collection Rule. The list of OS images is updated over time as support is increased.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "listOfWindowsImageIdToInclude": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Windows OS to add to scope",
          "description": "Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "DcrResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Data Collection Rule Resource Id",
          "description": "Resource Id of the Data Collection Rule to be applied on the virtual machines in scope."
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "location",
            "in": [
              "australiacentral",
              "australiaeast",
              "australiasoutheast",
              "canadacentral",
              "centralindia",
              "centralus",
              "eastasia",
              "eastus2euap",
              "eastus",
              "eastus2",
              "francecentral",
              "germanywestcentral",
              "japaneast",
              "koreacentral",
              "northcentralus",
              "northeurope",
              "southafricanorth",
              "southcentralus",
              "southeastasia",
              "switzerlandnorth",
              "uksouth",
              "ukwest",
              "westcentralus",
              "westeurope",
              "westus",
              "westus2"
            ]
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imageId",
                "in": "[parameters('listOfWindowsImageIdToInclude')]"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "2008-R2-SP1",
                      "2008-R2-SP1-smalldisk",
                      "2012-Datacenter",
                      "2012-Datacenter-smalldisk",
                      "2012-R2-Datacenter",
                      "2012-R2-Datacenter-smalldisk",
                      "2016-Datacenter",
                      "2016-Datacenter-Server-Core",
                      "2016-Datacenter-Server-Core-smalldisk",
                      "2016-Datacenter-smalldisk",
                      "2016-Datacenter-with-Containers",
                      "2016-Datacenter-with-RDSH",
                      "2019-Datacenter",
                      "2019-Datacenter-Core",
                      "2019-Datacenter-Core-smalldisk",
                      "2019-Datacenter-Core-with-Containers",
                      "2019-Datacenter-Core-with-Containers-smalldisk",
                      "2019-Datacenter-smalldisk",
                      "2019-Datacenter-with-Containers",
                      "2019-Datacenter-with-Containers-smalldisk",
                      "2019-Datacenter-zhcn"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerSemiAnnual"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "Datacenter-Core-1709-smalldisk",
                      "Datacenter-Core-1709-with-Containers-smalldisk",
                      "Datacenter-Core-1803-with-Containers-smalldisk"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServerHPCPack"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerHPCPack"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2-BYOL"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftRServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "MLServer-WS2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftVisualStudio"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "VisualStudio",
                      "Windows"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-U8"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "windows-data-science-vm"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsDesktop"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Windows-10"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/dataCollectionRuleAssociations",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa"
          ],
          "existenceCondition": {
            "field": "Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId",
            "equals": "[parameters('DcrResourceId')]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "DcrResourceId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "associationName": "[concat('assoc-', uniqueString(parameters('DcrResourceId')))]"
                },
                "resources": [
                  {
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', variables('associationName'))]",
                    "type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations",
                    "location": "[parameters('location')]",
                    "apiVersion": "2019-11-01-preview",
                    "properties": {
                      "dataCollectionRuleId": "[parameters('DcrResourceId')]"
                    }
                  }
                ]
              },
              "parameters": {
                "resourceName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "DcrResourceId": {
                  "value": "[parameters('DcrResourceId')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "eab1f514-22e3-42e3-9a1f-e1dc9199355c"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a true 1 Configure Azure Monitor Agent to Windows virtual machines and associate to Data Collection Rule (/providers/microsoft.authorization/policysetdefinitions/9575b8b7-78ab-4281-b53b-d3c1ace2260b) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa)
{
  "properties": {
    "displayName": "Configure Azure Activity logs to stream to specified Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Primary Log Analytics workspace",
          "description": "If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "deploymentScope": "Subscription",
          "existenceScope": "Subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "logAnalytics": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "name": "subscriptionToLa",
                    "type": "Microsoft.Insights/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "location": "Global",
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "logs": [
                        {
                          "category": "Administrative",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Security",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "ServiceHealth",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Alert",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Recommendation",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Policy",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Autoscale",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "ResourceHealth",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2465583e-4e78-4c15-b6be-a36cbc7c8b0f"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Configure Azure Application Insights components to disable public network access for log ingestion and querying",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable components log ingestion and querying from public networks access to improve security. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights.",
    "metadata": {
      "version": "1.1.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Insights/components"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Insights/components/publicNetworkAccessForIngestion",
                "notEquals": "Disabled"
              },
              {
                "field": "Microsoft.Insights/components/publicNetworkAccessForQuery",
                "notEquals": "Disabled"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "Audit",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.Insights/components/publicNetworkAccessForIngestion",
              "value": "Disabled"
            },
            {
              "operation": "addOrReplace",
              "field": "Microsoft.Insights/components/publicNetworkAccessForQuery",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/dddfa1af-dcd6-42f4-b5b0-e1db01e0b405",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "dddfa1af-dcd6-42f4-b5b0-e1db01e0b405"
}
BuiltIn Monitoring False False n/a n/a Modify false 0 n/a false 0 n/a 'Application Insights Component Contributor' (ae349356-3a1b-4a5e-921d-050484c6347e)
{
  "properties": {
    "displayName": "Configure Azure Automation accounts to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for Azure Automation account so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your Automation account resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints.",
    "metadata": {
      "category": "Automation",
      "version": "1.0.0"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Automation/automationAccounts"
          },
          {
            "field": "Microsoft.Automation/automationAccounts/publicNetworkAccess",
            "notEquals": false
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "audit",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.Automation/automationAccounts/publicNetworkAccess",
              "value": false
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "23b36a7c-9d26-4288-a8fd-c1d2fa284d8c"
}
BuiltIn Automation False False n/a n/a Modify false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Azure Automation accounts with private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone.",
    "metadata": {
      "version": "1.0.0",
      "category": "Automation"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS zone ID",
          "description": "Specifies the private DNS zone to use to configure private endpoint",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "privateEndpointGroupId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint group id",
          "description": "A group Id for the private endpoint"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "[parameters('privateEndpointGroupId')]"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "privateEndpointGroupId": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "automationAccounts-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "privateEndpointGroupId": {
                  "value": "[parameters('privateEndpointGroupId')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6dd01e4f-1be1-4e80-9d0b-d109e04cb064"
}
BuiltIn Automation False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Azure Cache for Redis to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for your Azure Cache for Redis resource so that it's not accessible over the public internet. This helps protect the cache against data leakage risks.",
    "metadata": {
      "category": "Cache",
      "version": "1.0.0"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Cache/Redis"
          },
          {
            "field": "Microsoft.Cache/Redis/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "audit",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17"
          ],
          "operations": [
            {
              "condition": "[greaterOrEquals(requestContext().apiVersion, '2020-06-01')]",
              "operation": "addOrReplace",
              "field": "Microsoft.Cache/Redis/publicNetworkAccess",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/30b3dfa5-a70d-4c8e-bed6-0083858f663d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "30b3dfa5-a70d-4c8e-bed6-0083858f663d"
}
BuiltIn Cache False False n/a n/a Modify false 0 n/a false 0 n/a 'Redis Cache Contributor' (e0f68234-74aa-48ed-b826-c38b57376e17)
{
  "properties": {
    "displayName": "Configure Azure Cache for Redis to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cache"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone Id",
          "strongType": "Microsoft.Network/privateDnsZones",
          "description": "The resource id of the private DNS zone"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "redisCache"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "privatelink-redis-cache-windows-net",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e016b22b-e0eb-436d-8fd7-160c4eaed6e2"
}
BuiltIn Cache False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Azure Cache for Redis with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint.",
    "metadata": {
      "category": "Cache",
      "version": "1.0.0"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "privateEndpointSubnetId",
          "description": "A subnet in the selected subscription/virtual network in which the private endpoint is configured",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Cache/redis"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Cache/redis/privateEndpointConnections",
          "evaluationDelay": "AfterProvisioning",
          "existenceCondition": {
            "field": "Microsoft.Cache/redis/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-m-',substring(parameters('name'),0,min(length(parameters('name')),47)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "redisCache"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5d8094d7-7340-465a-b6fd-e60ab7e48920",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5d8094d7-7340-465a-b6fd-e60ab7e48920"
}
BuiltIn Cache False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Redis Cache Contributor' (e0f68234-74aa-48ed-b826-c38b57376e17)
{
  "properties": {
    "displayName": "Configure Azure Cognitive Search services to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for your Azure Cognitive Search service so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.",
    "metadata": {
      "category": "Search",
      "version": "1.0.0"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Search/searchServices"
          },
          {
            "field": "Microsoft.Search/searchServices/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "audit",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.Search/searchServices/publicNetworkAccess",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9cee519f-d9c1-4fd9-9f79-24ec3449ed30"
}
BuiltIn Search False False n/a n/a Modify false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'Search Service Contributor' (7ca78c08-252a-4471-8644-bb5ff32d4ba0)
{
  "properties": {
    "displayName": "Configure Azure Cognitive Search services to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Cognitive Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.",
    "metadata": {
      "category": "Search",
      "version": "1.0.0"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS zone ID",
          "description": "Specifies the private DNS zone to use to configure private endpoint",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "searchService"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "searchService-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "fbc14a67-53e4-4932-abcc-2049c6706009"
}
BuiltIn Search False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Azure Cognitive Search services with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination.  By mapping private endpoints to your Azure Cognitive Search service, you can reduce data leakage risks.  Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.",
    "metadata": {
      "version": "1.0.0",
      "category": "Search"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet ID",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Search/searchServices"
          },
          {
            "field": "Microsoft.Search/searchServices/sku.name",
            "notEquals": "free"
          },
          {
            "field": "Microsoft.Search/searchServices/publicNetworkAccess",
            "equals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Search/searchServices/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Search/searchServices/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "searchService"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b698b005-b660-4837-b833-a7aaab26ddba",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b698b005-b660-4837-b833-a7aaab26ddba"
}
BuiltIn Search False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'Search Service Contributor' (7ca78c08-252a-4471-8644-bb5ff32d4ba0)
{
  "properties": {
    "displayName": "Configure Azure Defender for App Service to be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "AppServices",
          "deploymentScope": "subscription",
          "existenceScope": "subscription",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ],
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {},
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {},
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "AppServices",
                    "properties": {
                      "pricingTier": "Standard"
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d"
}
BuiltIn Security Center False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "Configure Azure Defender for Azure SQL database to be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "SqlServers",
          "deploymentScope": "subscription",
          "existenceScope": "subscription",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ],
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {},
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {},
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "SqlServers",
                    "properties": {
                      "pricingTier": "Standard"
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b99b73e7-074b-4089-9395-b7236f094491"
}
BuiltIn Security Center False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "Configure Azure Defender for container registries to be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "ContainerRegistry",
          "deploymentScope": "subscription",
          "existenceScope": "subscription",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ],
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {},
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {},
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "ContainerRegistry",
                    "properties": {
                      "pricingTier": "Standard"
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d3d1e68e-49d4-4b56-acff-93cef644b432",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d3d1e68e-49d4-4b56-acff-93cef644b432"
}
BuiltIn Security Center False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "Configure Azure Defender for DNS to be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "Dns",
          "deploymentScope": "subscription",
          "existenceScope": "subscription",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ],
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {},
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {},
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "Dns",
                    "properties": {
                      "pricingTier": "Standard"
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2370a3c1-4a25-4283-a91a-c9c1a145fb2f"
}
BuiltIn Security Center False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "Configure Azure Defender for Key Vaults to be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "KeyVaults",
          "deploymentScope": "subscription",
          "existenceScope": "subscription",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ],
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {},
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {},
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "KeyVaults",
                    "properties": {
                      "pricingTier": "Standard"
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1f725891-01c0-420a-9059-4fa46cb770b7"
}
BuiltIn Security Center False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "Configure Azure Defender for Kubernetes to be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "KubernetesService",
          "deploymentScope": "subscription",
          "existenceScope": "subscription",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ],
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {},
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {},
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "KubernetesService",
                    "properties": {
                      "pricingTier": "Standard"
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/133047bf-1369-41e3-a3be-74a11ed1395a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "133047bf-1369-41e3-a3be-74a11ed1395a"
}
BuiltIn Security Center False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "Configure Azure Defender for Resource Manager to be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "Arm",
          "deploymentScope": "subscription",
          "existenceScope": "subscription",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ],
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {},
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {},
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "Arm",
                    "properties": {
                      "pricingTier": "Standard"
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b7021b2b-08fd-4dc0-9de7-3c6ece09faf9"
}
BuiltIn Security Center False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "Configure Azure Defender for servers to be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "VirtualMachines",
          "deploymentScope": "subscription",
          "existenceScope": "subscription",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ],
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {},
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {},
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "VirtualMachines",
                    "properties": {
                      "pricingTier": "Standard"
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8e86a5b6-b9bd-49d1-8e21-4bb8a0862222"
}
BuiltIn Security Center False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "Configure Azure Defender for SQL servers on machines to be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "SqlServerVirtualMachines",
          "deploymentScope": "subscription",
          "existenceScope": "subscription",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ],
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {},
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {},
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "SqlServerVirtualMachines",
                    "properties": {
                      "pricingTier": "Standard"
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "50ea7265-7d8c-429e-9a7d-ca1f410191c3"
}
BuiltIn Security Center False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "Configure Azure Defender for Storage to be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "StorageAccounts",
          "deploymentScope": "subscription",
          "existenceScope": "subscription",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ],
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {},
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {},
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "StorageAccounts",
                    "properties": {
                      "pricingTier": "Standard"
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "74c30959-af11-47b3-9ed2-a26e03f427a3"
}
BuiltIn Security Center False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "Configure Azure Defender to be enabled on SQL managed instances",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable Azure Defender on your Azure SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/managedInstances"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/managedInstances/securityAlertPolicies",
          "name": "Default",
          "evaluationDelay": "AfterProvisioning",
          "existenceCondition": {
            "field": "Microsoft.Sql/securityAlertPolicies.state",
            "equals": "Enabled"
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "instanceName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "name": "[concat(parameters('instanceName'), '/Default')]",
                    "type": "Microsoft.Sql/managedInstances/securityAlertPolicies",
                    "apiVersion": "2020-11-01-preview",
                    "properties": {
                      "state": "Enabled"
                    }
                  }
                ]
              },
              "parameters": {
                "instanceName": {
                  "value": "[field('name')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd"
}
BuiltIn SQL False False n/a n/a DeployIfNotExists false 0 n/a true 1 Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances (/providers/microsoft.authorization/policysetdefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97) 'SQL Security Manager' (056cd41c-7e88-42e1-933e-88ba6a50c9c3)
{
  "properties": {
    "displayName": "Configure Azure Defender to be enabled on SQL servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.",
    "metadata": {
      "version": "2.1.0",
      "category": "SQL"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "field": "kind",
            "notContains": "analytics"
          }
        ]
      },
      "then": {
        "effect": "DeployIfNotExists",
        "details": {
          "type": "Microsoft.Sql/servers/securityAlertPolicies",
          "name": "Default",
          "existenceCondition": {
            "field": "Microsoft.Sql/securityAlertPolicies.state",
            "equals": "Enabled"
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "serverName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "name": "[concat(parameters('serverName'), '/Default')]",
                    "type": "Microsoft.Sql/servers/securityAlertPolicies",
                    "apiVersion": "2020-11-01-preview",
                    "properties": {
                      "state": "Enabled"
                    }
                  }
                ]
              },
              "parameters": {
                "serverName": {
                  "value": "[field('name')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "36d49e87-48c4-4f2e-beed-ba4ed02b71f5"
}
BuiltIn SQL False False n/a n/a n/a false 0 n/a true 2 [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances (/providers/microsoft.authorization/policysetdefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97) 'SQL Security Manager' (056cd41c-7e88-42e1-933e-88ba6a50c9c3)
{
  "properties": {
    "displayName": "Configure Azure File Sync to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "privateDnsZoneId",
          "strongType": "Microsoft.Network/privateDnsZones",
          "description": "Private DNS Zone Identifier"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "afs"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f",
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "privatelink-afs",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "06695360-db88-47f6-b976-7500d4297475"
}
BuiltIn Storage False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Private DNS Zone Contributor' (b12aa53e-6015-4669-85d0-8515ebb3ae7f), 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Azure File Sync with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "A private endpoint is deployed for the indicated Storage Sync Service resource. This enables you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. The existence of one or more private endpoints by themselves does not disable the public endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "privateEndpointSubnetId",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.StorageSync/storageSyncServices"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.StorageSync/storageSyncServices/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.StorageSync/storageSyncServices/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "afs"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b35dddd9-daf7-423b-8375-5a5b86806d5a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b35dddd9-daf7-423b-8375-5a5b86806d5a"
}
BuiltIn Storage False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics.",
    "metadata": {
      "version": "1.1.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.OperationalInsights/workspaces"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.OperationalInsights/workspaces/publicNetworkAccessForIngestion",
                "notEquals": "Disabled"
              },
              {
                "field": "Microsoft.OperationalInsights/workspaces/publicNetworkAccessForQuery",
                "notEquals": "Disabled"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "conflictEffect": "Audit",
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.OperationalInsights/workspaces/publicNetworkAccessForIngestion",
              "value": "Disabled"
            },
            {
              "operation": "addOrReplace",
              "field": "Microsoft.OperationalInsights/workspaces/publicNetworkAccessForQuery",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d3ba9c42-9dd5-441a-957c-274031c750c0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d3ba9c42-9dd5-441a-957c-274031c750c0"
}
BuiltIn Monitoring False False n/a n/a Modify false 0 n/a false 0 n/a 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Configure Azure Machine Learning workspace to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview.",
    "metadata": {
      "version": "1.0.0",
      "category": "Machine Learning"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone id",
          "description": "A private DNS zone id to connect to the private endpoint.",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "amlworkspace"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "amlworkspace-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ee40564d-486e-4f68-a5ca-7a621edae0fb"
}
BuiltIn Machine Learning False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Azure Machine Learning workspaces with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Machine Learning workspace, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.",
    "metadata": {
      "version": "1.0.0",
      "category": "Machine Learning"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.MachineLearningServices/workspaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "amlworkspace"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7838fd83-5cbb-4b5d-888c-bfa240972597",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7838fd83-5cbb-4b5d-888c-bfa240972597"
}
BuiltIn Machine Learning False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Azure Media Services to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Media Services account. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs.",
    "metadata": {
      "version": "1.0.0",
      "category": "Media Services"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone ID for Media Services",
          "description": "The private DNS zone name required for Media Services to resolve a private DNS Zone.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "groupId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint group ID",
          "description": "The group ID of the private endpoint."
        },
        "allowedValues": [
          "keydelivery",
          "liveevent",
          "streamingendpoint"
        ]
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
              "where": {
                "allOf": [
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                    "contains": "Microsoft.Media/mediaservices"
                  },
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                    "equals": "[parameters('groupId')]"
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "mediaservices-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b4a7f6c1-585e-4177-ad5b-c2c93f4bb991"
}
BuiltIn Media Services False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Azure Media Services with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs.",
    "metadata": {
      "version": "1.0.0",
      "category": "Media Services"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet ID",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "groupId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint group ID",
          "description": "The group ID of the private endpoint."
        },
        "allowedValues": [
          "keydelivery",
          "liveevent",
          "streamingendpoint"
        ]
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Media/mediaservices"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints",
          "existenceScope": "Subscription",
          "existenceCondition": {
            "allOf": [
              {
                "count": {
                  "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
                  "where": {
                    "allOf": [
                      {
                        "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                        "equals": "[field('id')]"
                      },
                      {
                        "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                        "equals": "[parameters('groupId')]"
                      }
                    ]
                  }
                },
                "greaterOrEquals": 1
              },
              {
                "field": "Microsoft.Network/privateEndpoints/subnet.id",
                "equals": "[parameters('privateEndpointSubnetId')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                },
                "groupId": {
                  "value": "[parameters('groupId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  },
                  "groupId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          },
                          "groupId": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "[parameters('groupId')]"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "groupId": {
                          "value": "[parameters('groupId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c5632066-946d-4766-9544-cd79bcc1286e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c5632066-946d-4766-9544-cd79bcc1286e"
}
BuiltIn Media Services False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'Media Services Account Administrator' (054126f8-9a2b-4f1c-a9ad-eca461f08466)
{
  "properties": {
    "displayName": "Configure Azure Migrate resources to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Migrate project. Learn more at: https://aka.ms/privatednszone.",
    "metadata": {
      "version": "1.0.0",
      "category": "Migrate"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone ID",
          "description": "Specifies the private DNS zone to use to configure private endpoint",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
              "where": {
                "allOf": [
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                    "equals": "Default"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                        "contains": "Microsoft.Migrate/assessmentProjects"
                      },
                      {
                        "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                        "contains": "Microsoft.Migrate/migrateProjects"
                      },
                      {
                        "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                        "contains": "Microsoft.OffAzure/masterSites"
                      }
                    ]
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "default-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7590a335-57cf-4c95-babd-ecbc8fafeb1f"
}
BuiltIn Migrate False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Azure Monitor Private Link Scope to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "privateDnsZoneId1": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone for global endpoints used by Azure Monitor",
          "description": "One of the five private DNS zone IDs required for Microsoft.Insights/privateLinkScopes to resolve a private DNS Zone to your Azure Monitor Private Link scope.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "privateDnsZoneId2": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone for workspace-specific mapping to OMS agents endpoints",
          "description": "One of the five private DNS zone IDs required for Microsoft.Insights/privateLinkScopes to resolve a private DNS Zone to your Azure Monitor Private Link scope.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "privateDnsZoneId3": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone for workspace-specific mapping to ingestion endpoints",
          "description": "One of the five private DNS zone IDs required for Microsoft.Insights/privateLinkScopes to resolve a private DNS Zone to your Azure Monitor Private Link scope.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "privateDnsZoneId4": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone for workspace-specific mapping to the agent service automation endpoints",
          "description": "One of the five private DNS zone IDs required for Microsoft.Insights/privateLinkScopes to resolve a private DNS Zone.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "privateDnsZoneId5": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone for connectivity to the global agent's solution packs storage account",
          "description": "One of the five private DNS zone IDs required for Microsoft.Insights/privateLinkScopes to resolve a private DNS Zone.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
              "where": {
                "allOf": [
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                    "contains": "Microsoft.Insights/privateLinkScopes"
                  },
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                    "equals": "azuremonitor"
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId1": {
                    "type": "string"
                  },
                  "privateDnsZoneId2": {
                    "type": "string"
                  },
                  "privateDnsZoneId3": {
                    "type": "string"
                  },
                  "privateDnsZoneId4": {
                    "type": "string"
                  },
                  "privateDnsZoneId5": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "privateDnsZone1",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId1')]"
                          }
                        },
                        {
                          "name": "privateDnsZone2",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId2')]"
                          }
                        },
                        {
                          "name": "privateDnsZone3",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId3')]"
                          }
                        },
                        {
                          "name": "privateDnsZone4",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId4')]"
                          }
                        },
                        {
                          "name": "privateDnsZone5",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId5')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId1": {
                  "value": "[parameters('privateDnsZoneId1')]"
                },
                "privateDnsZoneId2": {
                  "value": "[parameters('privateDnsZoneId2')]"
                },
                "privateDnsZoneId3": {
                  "value": "[parameters('privateDnsZoneId3')]"
                },
                "privateDnsZoneId4": {
                  "value": "[parameters('privateDnsZoneId4')]"
                },
                "privateDnsZoneId5": {
                  "value": "[parameters('privateDnsZoneId5')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "437914ee-c176-4fff-8986-7e05eb971365"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Azure Monitor Private Link Scopes with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Monitor Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet ID",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Insights/privateLinkScopes"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/privateLinkScopes/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Insights/privateLinkScopes/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "azuremonitor"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e8185402-357b-4768-8058-f620bc0ae6b5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e8185402-357b-4768-8058-f620bc0ae6b5"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Azure SQL database servers diagnostic settings to Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enables auditing logs for Azure SQL Database server and stream the logs to a Log Analytics workspace when any SQL Server which is missing this auditing is created or updated",
    "metadata": {
      "version": "1.0.2",
      "category": "SQL"
    },
    "parameters": {
      "logAnalyticsWorkspaceId": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Specify the Log Analytics workspace the server should be connected to.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/auditingSettings",
          "name": "Default",
          "existenceCondition": {
            "field": "Microsoft.Sql/auditingSettings.state",
            "equals": "Enabled"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
            "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "serverName": {
                    "type": "string"
                  },
                  "logAnalyticsWorkspaceId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "diagnosticSettingsName": "SQLSecurityAuditEvents_3d229c42-c7e7-4c97-9a99-ec0d0d8b86c1"
                },
                "resources": [
                  {
                    "type": "Microsoft.Sql/servers/databases/providers/diagnosticSettings",
                    "name": "[concat(parameters('serverName'),'/master/microsoft.insights/',variables('diagnosticSettingsName'))]",
                    "apiVersion": "2017-05-01-preview",
                    "properties": {
                      "name": "[variables('diagnosticSettingsName')]",
                      "workspaceId": "[parameters('logAnalyticsWorkspaceId')]",
                      "logs": [
                        {
                          "category": "SQLSecurityAuditEvents",
                          "enabled": true,
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          }
                        }
                      ]
                    }
                  },
                  {
                    "name": "[concat(parameters('serverName'), '/Default')]",
                    "type": "Microsoft.Sql/servers/auditingSettings",
                    "apiVersion": "2017-03-01-preview",
                    "dependsOn": [
                      "[concat('Microsoft.Sql/servers/', parameters('serverName'),'/databases/master/providers/microsoft.insights/diagnosticSettings/', variables('diagnosticSettingsName'))]"
                    ],
                    "properties": {
                      "state": "Enabled",
                      "isAzureMonitorTargetEnabled": true
                    }
                  }
                ]
              },
              "parameters": {
                "serverName": {
                  "value": "[field('name')]"
                },
                "logAnalyticsWorkspaceId": {
                  "value": "[parameters('logAnalyticsWorkspaceId')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7ea8a143-05e3-4553-abfe-f56bef8b0b70",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7ea8a143-05e3-4553-abfe-f56bef8b0b70"
}
BuiltIn SQL False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'SQL Security Manager' (056cd41c-7e88-42e1-933e-88ba6a50c9c3), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Configure Azure SQL Server to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling the public network access property shuts down public connectivity such that Azure SQL Server can only be accessed from a private endpoint. This configuration disables the public network access for all databases under the Azure SQL Server.",
    "metadata": {
      "category": "SQL",
      "version": "1.0.0"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "field": "Microsoft.Sql/servers/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "audit",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.Sql/servers/publicNetworkAccess",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b"
}
BuiltIn SQL False False n/a n/a Modify false 0 n/a false 0 n/a 'SQL Server Contributor' (6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437)
{
  "properties": {
    "displayName": "Configure Azure SQL Server to enable private endpoint connections",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "A private endpoint connection enables private connectivity to your Azure SQL Database via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios.",
    "metadata": {
      "category": "SQL",
      "version": "1.0.0"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Subnet to use for Private Endpoints",
          "description": "The name of the subnet within the virtual network that you would like to use for your Private Endpoint Connection deployment",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "count": {
              "field": "Microsoft.Sql/servers/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.Sql/servers/privateEndpointConnections[*].id",
                "exists": "false"
              }
            },
            "equals": 0
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/privateEndpointConnections",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "name": {
                            "type": "String"
                          },
                          "serviceId": {
                            "type": "String"
                          },
                          "privateEndpointSubnetId": {
                            "type": "String"
                          },
                          "subnetlocation": {
                            "type": "String"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "name": "[variables('privateEndpointName')]",
                            "location": "[parameters('subnetlocation')]",
                            "properties": {
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[parameters('name')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "sqlServer"
                                    ],
                                    "privateLinkServiceConnectionState": {
                                      "status": "Approved",
                                      "description": "Auto-approved",
                                      "actionsRequired": "None"
                                    }
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": [],
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "customDnsConfigs": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "name": {
                          "value": "[parameters('name')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "subnetlocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8e8ca470-d980-4831-99e6-dc70d9f6af87",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8e8ca470-d980-4831-99e6-dc70d9f6af87"
}
BuiltIn SQL False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'SQL Server Contributor' (6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437)
{
  "properties": {
    "displayName": "Configure Azure Synapse workspaces to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for your Synapse workspace so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings.",
    "metadata": {
      "version": "1.0.0",
      "category": "Synapse"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Synapse/workspaces"
          },
          {
            "field": "Microsoft.Synapse/workspaces/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "audit",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.Synapse/workspaces/publicNetworkAccess",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5c8cad01-ef30-4891-b230-652dadb4876a"
}
BuiltIn Synapse False False n/a n/a Modify false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Azure Synapse workspaces to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Synapse"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone id",
          "description": "A private DNS zone Id",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "targetSubResource": {
        "type": "String",
        "metadata": {
          "displayName": "Target sub-resource",
          "description": "Target sub resource the private endpoint connects to"
        },
        "allowedValues": [
          "Dev",
          "Sql",
          "SqlOnDemand"
        ],
        "defaultValue": "Dev"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "[parameters('targetSubResource')]"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "synapse-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1e5ed725-f16c-478b-bd4b-7bfa2f7940b9"
}
BuiltIn Synapse False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Azure Synapse workspaces with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Synapse workspaces, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links.",
    "metadata": {
      "version": "1.0.0",
      "category": "Synapse"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "A subnet with private endpoint network policies disabled",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Synapse/workspaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Synapse/workspaces/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Synapse/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "Dev"
                                    ],
                                    "requestMessage": "Auto approved by policy assignment"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3b3b0c27-08d2-4b32-879d-19930bee3266",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3b3b0c27-08d2-4b32-879d-19930bee3266"
}
BuiltIn Synapse False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Azure Web PubSub Service to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for your Azure Web PubSub resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/awps/networkacls. ",
    "metadata": {
      "version": "1.0.0",
      "category": "Web PubSub"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.SignalRService/webPubSub"
          },
          {
            "field": "Microsoft.SignalRService/webPubSub/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "Audit",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.SignalRService/webPubSub/publicNetworkAccess",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5b1213e4-06e4-4ccc-81de-4201f2f7131a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5b1213e4-06e4-4ccc-81de-4201f2f7131a"
}
BuiltIn Web PubSub False False n/a n/a Modify false 0 n/a false 0 n/a 'SignalR Contributor' (8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761)
{
  "properties": {
    "displayName": "Configure Azure Web PubSub Service to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.",
    "metadata": {
      "version": "1.0.0",
      "category": "Web PubSub"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone Id",
          "description": "Private DNS zone to integrate with private endpoint.",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "webpubsub"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "privatelink-webpubsub-azure-com",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0b026355-49cb-467b-8ac4-f777874e175a"
}
BuiltIn Web PubSub False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Azure Web PubSub Service with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. ",
    "metadata": {
      "version": "1.0.0",
      "category": "Web PubSub"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private Endpoint Subnet ID",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.SignalRService/webPubSub"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.SignalRService/webPubSub/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.SignalRService/webPubSub/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "webpubsub"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1b9c0b58-fc7b-42c8-8010-cdfa1d1b8544",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1b9c0b58-fc7b-42c8-8010-cdfa1d1b8544"
}
BuiltIn Web PubSub False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'SignalR Contributor' (8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761)
{
  "properties": {
    "displayName": "Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.",
    "metadata": {
      "version": "3.0.0",
      "category": "Backup"
    },
    "parameters": {
      "inclusionTagName": {
        "type": "String",
        "metadata": {
          "displayName": "Inclusion Tag Name",
          "description": "Name of the tag to use for including VMs in the scope of this policy. This should be used along with the Inclusion Tag Value parameter. Learn more at https://aka.ms/AppCentricVMBackupPolicy."
        },
        "defaultValue": ""
      },
      "inclusionTagValue": {
        "type": "Array",
        "metadata": {
          "displayName": "Inclusion Tag Values",
          "description": "Value of the tag to use for including VMs in the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Inclusion Tag Name parameter. Learn more at https://aka.ms/AppCentricVMBackupPolicy."
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "auditIfNotExists",
          "disabled"
        ],
        "defaultValue": "deployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "id",
            "notContains": "/resourceGroups/databricks-rg-"
          },
          {
            "anyOf": [
              {
                "field": "[concat('tags[', parameters('inclusionTagName'), ']')]",
                "in": "[parameters('inclusionTagValue')]"
              },
              {
                "value": "[empty(parameters('inclusionTagValue'))]",
                "equals": "true"
              },
              {
                "value": "[empty(parameters('inclusionTagName'))]",
                "equals": "true"
              }
            ]
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "2008-R2-SP1",
                      "2008-R2-SP1-smalldisk",
                      "2012-Datacenter",
                      "2012-Datacenter-smalldisk",
                      "2012-R2-Datacenter",
                      "2012-R2-Datacenter-smalldisk",
                      "2016-Datacenter",
                      "2016-Datacenter-Server-Core",
                      "2016-Datacenter-Server-Core-smalldisk",
                      "2016-Datacenter-smalldisk",
                      "2016-Datacenter-with-Containers",
                      "2016-Datacenter-with-RDSH",
                      "2019-Datacenter",
                      "2019-Datacenter-Core",
                      "2019-Datacenter-Core-smalldisk",
                      "2019-Datacenter-Core-with-Containers",
                      "2019-Datacenter-Core-with-Containers-smalldisk",
                      "2019-Datacenter-smalldisk",
                      "2019-Datacenter-with-Containers",
                      "2019-Datacenter-with-Containers-smalldisk",
                      "2019-Datacenter-zhcn"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerSemiAnnual"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "Datacenter-Core-1709-smalldisk",
                      "Datacenter-Core-1709-with-Containers-smalldisk",
                      "Datacenter-Core-1803-with-Containers-smalldisk"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServerHPCPack"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerHPCPack"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2019"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2-BYOL"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftRServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "MLServer-WS2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftVisualStudio"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "VisualStudio",
                      "Windows"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-U8"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "windows-data-science-vm"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsDesktop"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Windows-10"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "SLES",
                      "SLES-HPC",
                      "SLES-HPC-Priority",
                      "SLES-SAP",
                      "SLES-SAP-BYOS",
                      "SLES-Priority",
                      "SLES-BYOS",
                      "SLES-SAPCAL",
                      "SLES-Standard"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "12*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "contains": "ubuntu"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "14.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "16.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "18.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "*20_04-lts"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "20_04-lts*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Oracle"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Oracle-Linux"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7.*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "CentOS",
                      "Centos-LVM",
                      "CentOS-SRIOV"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "like": "7*"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.RecoveryServices/backupprotecteditems",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
            "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string",
                    "metadata": {
                      "description": "Name of Azure Virtual Machines"
                    }
                  },
                  "vmRgName": {
                    "type": "string",
                    "metadata": {
                      "description": "Resource group containing the virtual machines."
                    }
                  },
                  "location": {
                    "type": "string",
                    "metadata": {
                      "description": "Location for VM and Backup vault"
                    }
                  }
                },
                "variables": {
                  "backupFabric": "Azure",
                  "backupPolicy": "DefaultPolicy",
                  "v2VmType": "Microsoft.Compute/virtualMachines",
                  "v2VmContainer": "iaasvmcontainer;iaasvmcontainerv2;",
                  "v2Vm": "vm;iaasvmcontainerv2;",
                  "vaultName": "[take(concat('RSVault-', parameters('location'), '-', guid(resourceGroup().id)),50)]"
                },
                "resources": [
                  {
                    "name": "[variables('vaultName')]",
                    "type": "Microsoft.RecoveryServices/vaults",
                    "apiVersion": "2016-06-01",
                    "location": "[parameters('location')]",
                    "properties": {},
                    "sku": {
                      "name": "Standard"
                    }
                  },
                  {
                    "name": "[concat(variables('vaultName'), '/', variables('backupFabric'), '/', variables('v2VmContainer'), concat(parameters('vmRgName'),';',parameters('vmName')), '/', variables('v2Vm'), concat(parameters('vmRgName'),';',parameters('vmName')))]",
                    "apiVersion": "2016-12-01",
                    "location": "[parameters('location')]",
                    "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems",
                    "dependsOn": [
                      "[resourceId('Microsoft.RecoveryServices/vaults/', variables('vaultName'))]"
                    ],
                    "properties": {
                      "protectedItemType": "[variables('v2VmType')]",
                      "policyId": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', variables('vaultName'),variables('backupPolicy'))]",
                      "sourceResourceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', parameters('vmRgName'), '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
                    }
                  }
                ],
                "outputs": {
                  "status": {
                    "type": "string",
                    "value": "[concat('Backup enabled successfully for VM:', ' ', parameters('vmName'), 'Backup Vault: ', variables('vaultName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "vmRgName": {
                  "value": "[resourceGroup().name]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/83644c87-93dd-49fe-bf9f-6aff8fd0834e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "83644c87-93dd-49fe-bf9f-6aff8fd0834e"
}
BuiltIn Backup False False n/a n/a deployIfNotExists false 0 n/a false 0 n/a 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c), 'Backup Contributor' (5e467623-bb1f-42f4-a55d-6e525e11384b)
{
  "properties": {
    "displayName": "Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag.",
    "metadata": {
      "version": "3.0.0",
      "category": "Backup"
    },
    "parameters": {
      "vaultLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Location (Specify the location of the VMs that you want to protect)",
          "description": "Specify the location of the VMs that you want to protect. VMs should be backed up to a vault in the same location. For example - CanadaCentral",
          "strongType": "location"
        }
      },
      "inclusionTagName": {
        "type": "String",
        "metadata": {
          "displayName": "Inclusion Tag Name",
          "description": "Name of the tag to use for including VMs in the scope of this policy. This should be used along with the Inclusion Tag Value parameter. Learn more at https://aka.ms/AppCentricVMBackupPolicy"
        },
        "defaultValue": ""
      },
      "inclusionTagValue": {
        "type": "Array",
        "metadata": {
          "displayName": "Inclusion Tag Values",
          "description": "Value of the tag to use for including VMs in the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Inclusion Tag Name parameter. Learn more at https://aka.ms/AppCentricVMBackupPolicy."
        }
      },
      "backupPolicyId": {
        "type": "String",
        "metadata": {
          "displayName": "Backup Policy (of type Azure VM from a vault in the location chosen above)",
          "description": "Specify the ID of the Azure Backup policy to configure backup of the virtual machines. The selected Azure Backup policy should be of type Azure Virtual Machine. This policy needs to be in a vault that is present in the location chosen above. For example - /subscriptions//resourceGroups//providers/Microsoft.RecoveryServices/vaults//backupPolicies/",
          "strongType": "Microsoft.RecoveryServices/vaults/backupPolicies"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "auditIfNotExists",
          "disabled"
        ],
        "defaultValue": "deployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "id",
            "notContains": "/resourceGroups/databricks-rg-"
          },
          {
            "field": "location",
            "equals": "[parameters('vaultLocation')]"
          },
          {
            "field": "[concat('tags[', parameters('inclusionTagName'), ']')]",
            "in": "[parameters('inclusionTagValue')]"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "2008-R2-SP1",
                      "2008-R2-SP1-smalldisk",
                      "2012-Datacenter",
                      "2012-Datacenter-smalldisk",
                      "2012-R2-Datacenter",
                      "2012-R2-Datacenter-smalldisk",
                      "2016-Datacenter",
                      "2016-Datacenter-Server-Core",
                      "2016-Datacenter-Server-Core-smalldisk",
                      "2016-Datacenter-smalldisk",
                      "2016-Datacenter-with-Containers",
                      "2016-Datacenter-with-RDSH",
                      "2019-Datacenter",
                      "2019-Datacenter-Core",
                      "2019-Datacenter-Core-smalldisk",
                      "2019-Datacenter-Core-with-Containers",
                      "2019-Datacenter-Core-with-Containers-smalldisk",
                      "2019-Datacenter-smalldisk",
                      "2019-Datacenter-with-Containers",
                      "2019-Datacenter-with-Containers-smalldisk",
                      "2019-Datacenter-zhcn"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerSemiAnnual"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "Datacenter-Core-1709-smalldisk",
                      "Datacenter-Core-1709-with-Containers-smalldisk",
                      "Datacenter-Core-1803-with-Containers-smalldisk"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServerHPCPack"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerHPCPack"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2019"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2-BYOL"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftRServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "MLServer-WS2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftVisualStudio"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "VisualStudio",
                      "Windows"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-U8"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "windows-data-science-vm"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsDesktop"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Windows-10"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "SLES",
                      "SLES-HPC",
                      "SLES-HPC-Priority",
                      "SLES-SAP",
                      "SLES-SAP-BYOS",
                      "SLES-Priority",
                      "SLES-BYOS",
                      "SLES-SAPCAL",
                      "SLES-Standard"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "12*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "contains": "ubuntu"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "14.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "16.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "18.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "*20_04-lts"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "20_04-lts*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Oracle"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Oracle-Linux"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7.*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "CentOS",
                      "Centos-LVM",
                      "CentOS-SRIOV"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "like": "7*"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
            "/providers/microsoft.authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"
          ],
          "type": "Microsoft.RecoveryServices/backupprotecteditems",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "backupPolicyId": {
                    "type": "String"
                  },
                  "fabricName": {
                    "type": "String"
                  },
                  "protectionContainers": {
                    "type": "String"
                  },
                  "protectedItems": {
                    "type": "String"
                  },
                  "sourceResourceId": {
                    "type": "String"
                  }
                },
                "resources": [
                  {
                    "apiVersion": "2017-05-10",
                    "name": "[concat('DeployProtection-',uniqueString(parameters('protectedItems')))]",
                    "type": "Microsoft.Resources/deployments",
                    "resourceGroup": "[first(skip(split(parameters('backupPolicyId'), '/'), 4))]",
                    "subscriptionId": "[first(skip(split(parameters('backupPolicyId'), '/'), 2))]",
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "backupPolicyId": {
                            "type": "String"
                          },
                          "fabricName": {
                            "type": "String"
                          },
                          "protectionContainers": {
                            "type": "String"
                          },
                          "protectedItems": {
                            "type": "String"
                          },
                          "sourceResourceId": {
                            "type": "String"
                          }
                        },
                        "resources": [
                          {
                            "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems",
                            "name": "[concat(first(skip(split(parameters('backupPolicyId'), '/'), 8)), '/', parameters('fabricName'), '/',parameters('protectionContainers'), '/', parameters('protectedItems'))]",
                            "apiVersion": "2016-06-01",
                            "properties": {
                              "protectedItemType": "Microsoft.Compute/virtualMachines",
                              "policyId": "[parameters('backupPolicyId')]",
                              "sourceResourceId": "[parameters('sourceResourceId')]"
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "backupPolicyId": {
                          "value": "[parameters('backupPolicyId')]"
                        },
                        "fabricName": {
                          "value": "[parameters('fabricName')]"
                        },
                        "protectionContainers": {
                          "value": "[parameters('protectionContainers')]"
                        },
                        "protectedItems": {
                          "value": "[parameters('protectedItems')]"
                        },
                        "sourceResourceId": {
                          "value": "[parameters('sourceResourceId')]"
                        }
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "backupPolicyId": {
                  "value": "[parameters('backupPolicyId')]"
                },
                "fabricName": {
                  "value": "Azure"
                },
                "protectionContainers": {
                  "value": "[concat('iaasvmcontainer;iaasvmcontainerv2;', resourceGroup().name, ';' ,field('name'))]"
                },
                "protectedItems": {
                  "value": "[concat('vm;iaasvmcontainerv2;', resourceGroup().name, ';' ,field('name'))]"
                },
                "sourceResourceId": {
                  "value": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Compute/virtualMachines/',field('name'))]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/345fa903-145c-4fe1-8bcd-93ec2adccde8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "345fa903-145c-4fe1-8bcd-93ec2adccde8"
}
BuiltIn Backup False False n/a n/a deployIfNotExists false 0 n/a false 0 n/a 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c), 'Backup Contributor' (5e467623-bb1f-42f4-a55d-6e525e11384b)
{
  "properties": {
    "displayName": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.",
    "metadata": {
      "version": "3.0.0",
      "category": "Backup"
    },
    "parameters": {
      "exclusionTagName": {
        "type": "String",
        "metadata": {
          "displayName": "Exclusion Tag Name",
          "description": "Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter. Learn more at https://aka.ms/AppCentricVMBackupPolicy."
        },
        "defaultValue": ""
      },
      "exclusionTagValue": {
        "type": "Array",
        "metadata": {
          "displayName": "Exclusion Tag Values",
          "description": "Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. Learn more at https://aka.ms/AppCentricVMBackupPolicy."
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "auditIfNotExists",
          "disabled"
        ],
        "defaultValue": "deployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "not": {
              "field": "[concat('tags[', parameters('exclusionTagName'), ']')]",
              "in": "[parameters('exclusionTagValue')]"
            }
          },
          {
            "field": "id",
            "notContains": "/resourceGroups/databricks-rg-"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "2008-R2-SP1",
                      "2008-R2-SP1-smalldisk",
                      "2012-Datacenter",
                      "2012-Datacenter-smalldisk",
                      "2012-R2-Datacenter",
                      "2012-R2-Datacenter-smalldisk",
                      "2016-Datacenter",
                      "2016-Datacenter-Server-Core",
                      "2016-Datacenter-Server-Core-smalldisk",
                      "2016-Datacenter-smalldisk",
                      "2016-Datacenter-with-Containers",
                      "2016-Datacenter-with-RDSH",
                      "2019-Datacenter",
                      "2019-Datacenter-Core",
                      "2019-Datacenter-Core-smalldisk",
                      "2019-Datacenter-Core-with-Containers",
                      "2019-Datacenter-Core-with-Containers-smalldisk",
                      "2019-Datacenter-smalldisk",
                      "2019-Datacenter-with-Containers",
                      "2019-Datacenter-with-Containers-smalldisk",
                      "2019-Datacenter-zhcn"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerSemiAnnual"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "Datacenter-Core-1709-smalldisk",
                      "Datacenter-Core-1709-with-Containers-smalldisk",
                      "Datacenter-Core-1803-with-Containers-smalldisk"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServerHPCPack"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerHPCPack"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2019"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2-BYOL"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftRServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "MLServer-WS2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftVisualStudio"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "VisualStudio",
                      "Windows"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-U8"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "windows-data-science-vm"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsDesktop"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Windows-10"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "SLES",
                      "SLES-HPC",
                      "SLES-HPC-Priority",
                      "SLES-SAP",
                      "SLES-SAP-BYOS",
                      "SLES-Priority",
                      "SLES-BYOS",
                      "SLES-SAPCAL",
                      "SLES-Standard"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "12*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "contains": "ubuntu"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "14.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "16.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "18.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "*20_04-lts"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "20_04-lts*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Oracle"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Oracle-Linux"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7.*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "CentOS",
                      "Centos-LVM",
                      "CentOS-SRIOV"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "like": "7*"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.RecoveryServices/backupprotecteditems",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
            "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string",
                    "metadata": {
                      "description": "Name of Azure Virtual Machines"
                    }
                  },
                  "vmRgName": {
                    "type": "string",
                    "metadata": {
                      "description": "Resource group containing the virtual machines."
                    }
                  },
                  "location": {
                    "type": "string",
                    "metadata": {
                      "description": "Location for VM and Backup vault"
                    }
                  }
                },
                "variables": {
                  "backupFabric": "Azure",
                  "backupPolicy": "DefaultPolicy",
                  "v2VmType": "Microsoft.Compute/virtualMachines",
                  "v2VmContainer": "iaasvmcontainer;iaasvmcontainerv2;",
                  "v2Vm": "vm;iaasvmcontainerv2;",
                  "vaultName": "[take(concat('RSVault-', parameters('location'), '-', guid(resourceGroup().id)),50)]"
                },
                "resources": [
                  {
                    "name": "[variables('vaultName')]",
                    "type": "Microsoft.RecoveryServices/vaults",
                    "apiVersion": "2016-06-01",
                    "location": "[parameters('location')]",
                    "properties": {},
                    "sku": {
                      "name": "Standard"
                    }
                  },
                  {
                    "name": "[concat(variables('vaultName'), '/', variables('backupFabric'), '/', variables('v2VmContainer'), concat(parameters('vmRgName'),';',parameters('vmName')), '/', variables('v2Vm'), concat(parameters('vmRgName'),';',parameters('vmName')))]",
                    "apiVersion": "2016-12-01",
                    "location": "[parameters('location')]",
                    "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems",
                    "dependsOn": [
                      "[resourceId('Microsoft.RecoveryServices/vaults/', variables('vaultName'))]"
                    ],
                    "properties": {
                      "protectedItemType": "[variables('v2VmType')]",
                      "policyId": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', variables('vaultName'),variables('backupPolicy'))]",
                      "sourceResourceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', parameters('vmRgName'), '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
                    }
                  }
                ],
                "outputs": {
                  "status": {
                    "type": "string",
                    "value": "[concat('Backup enabled successfully for VM:', ' ', parameters('vmName'), 'Backup Vault: ', variables('vaultName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "vmRgName": {
                  "value": "[resourceGroup().name]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86"
}
BuiltIn Backup False False n/a n/a deployIfNotExists true 1 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-vm-backup (Deploy-VM-Backup) false 0 n/a 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c), 'Backup Contributor' (5e467623-bb1f-42f4-a55d-6e525e11384b)
{
  "properties": {
    "displayName": "Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.",
    "metadata": {
      "version": "3.0.0",
      "category": "Backup"
    },
    "parameters": {
      "vaultLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Location (Specify the location of the VMs that you want to protect)",
          "description": "Specify the location of the VMs that you want to protect. VMs should be backed up to a vault in the same location. For example - southeastasia.",
          "strongType": "location"
        }
      },
      "backupPolicyId": {
        "type": "String",
        "metadata": {
          "displayName": "Backup Policy (of type Azure VM from a vault in the location chosen above)",
          "description": "Specify the id of the Azure backup policy to configure backup of the virtual machines. The selected Azure backup policy should be of type Azure virtual machine. This policy needs to be in a vault that is present in the location chosen above. For example - /subscriptions//resourceGroups//providers/Microsoft.RecoveryServices/vaults//backupPolicies/.",
          "strongType": "Microsoft.RecoveryServices/vaults/backupPolicies"
        }
      },
      "exclusionTagName": {
        "type": "String",
        "metadata": {
          "displayName": "Exclusion Tag Name",
          "description": "Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter. Learn more at https://aka.ms/AppCentricVMBackupPolicy."
        },
        "defaultValue": ""
      },
      "exclusionTagValue": {
        "type": "Array",
        "metadata": {
          "displayName": "Exclusion Tag Values",
          "description": "Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. Learn more at https://aka.ms/AppCentricVMBackupPolicy."
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "deployIfNotExists",
          "auditIfNotExists",
          "disabled"
        ],
        "defaultValue": "deployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "location",
            "equals": "[parameters('vaultLocation')]"
          },
          {
            "field": "id",
            "notContains": "/resourceGroups/databricks-rg-"
          },
          {
            "anyOf": [
              {
                "not": {
                  "field": "[concat('tags[', parameters('exclusionTagName'), ']')]",
                  "in": "[parameters('exclusionTagValue')]"
                }
              },
              {
                "value": "[empty(parameters('exclusionTagValue'))]",
                "equals": "true"
              },
              {
                "value": "[empty(parameters('exclusionTagName'))]",
                "equals": "true"
              }
            ]
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "2008-R2-SP1",
                      "2008-R2-SP1-smalldisk",
                      "2012-Datacenter",
                      "2012-Datacenter-smalldisk",
                      "2012-R2-Datacenter",
                      "2012-R2-Datacenter-smalldisk",
                      "2016-Datacenter",
                      "2016-Datacenter-Server-Core",
                      "2016-Datacenter-Server-Core-smalldisk",
                      "2016-Datacenter-smalldisk",
                      "2016-Datacenter-with-Containers",
                      "2016-Datacenter-with-RDSH",
                      "2019-Datacenter",
                      "2019-Datacenter-Core",
                      "2019-Datacenter-Core-smalldisk",
                      "2019-Datacenter-Core-with-Containers",
                      "2019-Datacenter-Core-with-Containers-smalldisk",
                      "2019-Datacenter-smalldisk",
                      "2019-Datacenter-with-Containers",
                      "2019-Datacenter-with-Containers-smalldisk",
                      "2019-Datacenter-zhcn"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerSemiAnnual"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "Datacenter-Core-1709-smalldisk",
                      "Datacenter-Core-1709-with-Containers-smalldisk",
                      "Datacenter-Core-1803-with-Containers-smalldisk"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServerHPCPack"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerHPCPack"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2019"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2-BYOL"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftRServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "MLServer-WS2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftVisualStudio"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "VisualStudio",
                      "Windows"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-U8"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "windows-data-science-vm"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsDesktop"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Windows-10"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "SLES",
                      "SLES-HPC",
                      "SLES-HPC-Priority",
                      "SLES-SAP",
                      "SLES-SAP-BYOS",
                      "SLES-Priority",
                      "SLES-BYOS",
                      "SLES-SAPCAL",
                      "SLES-Standard"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "12*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "contains": "ubuntu"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "14.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "16.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "18.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "*20_04-lts"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "20_04-lts*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Oracle"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Oracle-Linux"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7.*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "CentOS",
                      "Centos-LVM",
                      "CentOS-SRIOV"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "like": "7*"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
            "/providers/microsoft.authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"
          ],
          "type": "Microsoft.RecoveryServices/backupprotecteditems",
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "backupPolicyId": {
                    "type": "String"
                  },
                  "fabricName": {
                    "type": "String"
                  },
                  "protectionContainers": {
                    "type": "String"
                  },
                  "protectedItems": {
                    "type": "String"
                  },
                  "sourceResourceId": {
                    "type": "String"
                  }
                },
                "resources": [
                  {
                    "apiVersion": "2017-05-10",
                    "name": "[concat('DeployProtection-',uniqueString(parameters('protectedItems')))]",
                    "type": "Microsoft.Resources/deployments",
                    "resourceGroup": "[first(skip(split(parameters('backupPolicyId'), '/'), 4))]",
                    "subscriptionId": "[first(skip(split(parameters('backupPolicyId'), '/'), 2))]",
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "backupPolicyId": {
                            "type": "String"
                          },
                          "fabricName": {
                            "type": "String"
                          },
                          "protectionContainers": {
                            "type": "String"
                          },
                          "protectedItems": {
                            "type": "String"
                          },
                          "sourceResourceId": {
                            "type": "String"
                          }
                        },
                        "resources": [
                          {
                            "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems",
                            "name": "[concat(first(skip(split(parameters('backupPolicyId'), '/'), 8)), '/', parameters('fabricName'), '/',parameters('protectionContainers'), '/', parameters('protectedItems'))]",
                            "apiVersion": "2016-06-01",
                            "properties": {
                              "protectedItemType": "Microsoft.Compute/virtualMachines",
                              "policyId": "[parameters('backupPolicyId')]",
                              "sourceResourceId": "[parameters('sourceResourceId')]"
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "backupPolicyId": {
                          "value": "[parameters('backupPolicyId')]"
                        },
                        "fabricName": {
                          "value": "[parameters('fabricName')]"
                        },
                        "protectionContainers": {
                          "value": "[parameters('protectionContainers')]"
                        },
                        "protectedItems": {
                          "value": "[parameters('protectedItems')]"
                        },
                        "sourceResourceId": {
                          "value": "[parameters('sourceResourceId')]"
                        }
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "backupPolicyId": {
                  "value": "[parameters('backupPolicyId')]"
                },
                "fabricName": {
                  "value": "Azure"
                },
                "protectionContainers": {
                  "value": "[concat('iaasvmcontainer;iaasvmcontainerv2;', resourceGroup().name, ';' ,field('name'))]"
                },
                "protectedItems": {
                  "value": "[concat('vm;iaasvmcontainerv2;', resourceGroup().name, ';' ,field('name'))]"
                },
                "sourceResourceId": {
                  "value": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Compute/virtualMachines/',field('name'))]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "09ce66bc-1220-4153-8104-e3f51c936913"
}
BuiltIn Backup False False n/a n/a deployIfNotExists false 0 n/a false 0 n/a 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c), 'Backup Contributor' (5e467623-bb1f-42f4-a55d-6e525e11384b)
{
  "properties": {
    "displayName": "Configure Batch accounts to disable local authentication",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth.",
    "metadata": {
      "version": "1.0.0",
      "category": "Batch"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Batch/batchAccounts"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Batch/batchAccounts/allowedAuthenticationModes",
                "exists": "false"
              },
              {
                "count": {
                  "field": "Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*]",
                  "where": {
                    "not": {
                      "field": "Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*]",
                      "equals": "AAD"
                    }
                  }
                },
                "greater": 0
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "audit",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "condition": "[greaterOrEquals(requestContext().apiVersion, '2021-06-01')]",
              "operation": "addOrReplace",
              "field": "Microsoft.Batch/batchAccounts/allowedAuthenticationModes",
              "value": [
                "AAD"
              ]
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4dbc2f5c-51cf-4e38-9179-c7028eed2274",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4dbc2f5c-51cf-4e38-9179-c7028eed2274"
}
BuiltIn Batch False False n/a n/a Modify false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Batch accounts with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Batch accounts, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/batch/private-connectivity.",
    "metadata": {
      "version": "1.0.0",
      "category": "Batch"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "A subnet with private endpoint network policies disabled",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Batch/batchAccounts"
          },
          {
            "field": "Microsoft.Batch/batchAccounts/publicNetworkAccess",
            "equals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Batch/batchAccounts/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Batch/batchAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "batchAccount"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0ef5aac7-c064-427a-b87b-d47b3ddcaf73",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0ef5aac7-c064-427a-b87b-d47b3ddcaf73"
}
BuiltIn Batch False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Cognitive Services accounts to disable local authentication methods",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cognitive Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.CognitiveServices/accounts"
          },
          {
            "field": "Microsoft.CognitiveServices/accounts/disableLocalAuth",
            "notEquals": true
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "conflictEffect": "audit",
          "operations": [
            {
              "condition": "[greaterOrEquals(requestContext().apiVersion, '2021-04-30')]",
              "operation": "addOrReplace",
              "field": "Microsoft.CognitiveServices/accounts/disableLocalAuth",
              "value": true
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "14de9e63-1b31-492e-a5a3-c3f7fd57f555"
}
BuiltIn Cognitive Services False False n/a n/a Modify false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Cognitive Services accounts to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cognitive Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Disabled",
          "Modify"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.CognitiveServices/accounts"
          },
          {
            "field": "Microsoft.CognitiveServices/accounts/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "conflictEffect": "audit",
          "operations": [
            {
              "condition": "[greaterOrEquals(requestContext().apiVersion, '2017-04-18')]",
              "operation": "addOrReplace",
              "field": "Microsoft.CognitiveServices/accounts/publicNetworkAccess",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "47ba1dd7-28d9-4b07-a8d5-9813bed64e0c"
}
BuiltIn Cognitive Services False False n/a n/a Modify false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Cognitive Services accounts to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cognitive Services"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone ID for Cognitive Services account",
          "description": "The private DNS zone name required for Cognitive Services to resolve a private DNS Zone to your Cognitive Services account.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
              "where": {
                "allOf": [
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                    "contains": "Microsoft.CognitiveServices/accounts"
                  },
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                    "equals": "account"
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "privatelink-cognitiveservices-azure-com",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c4bc6f10-cb41-49eb-b000-d5ab82e2a091"
}
BuiltIn Cognitive Services False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Cognitive Services accounts with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cognitive Services"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet ID",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.CognitiveServices/accounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.CognitiveServices/accounts",
          "existenceCondition": {
            "field": "Microsoft.CognitiveServices/accounts/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "account"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/db630ad5-52e9-4f4d-9c44-53912fe40053",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "db630ad5-52e9-4f4d-9c44-53912fe40053"
}
BuiltIn Cognitive Services False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'Cognitive Services Contributor' (25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68)
{
  "properties": {
    "displayName": "Configure container registries to disable local authentication.",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable local authentication so that your container registries exclusively require Azure Active Directory identities for authentication. Learn more about at: https://aka.ms/acr/authentication.",
    "metadata": {
      "version": "1.0.0",
      "category": "Container Registry"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerRegistry/registries"
          },
          {
            "field": "Microsoft.ContainerRegistry/registries/adminUserEnabled",
            "equals": true
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "audit",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.ContainerRegistry/registries/adminUserEnabled",
              "value": false
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "79fdfe03-ffcb-4e55-b4d0-b925b8241759"
}
BuiltIn Container Registry False False n/a n/a Modify false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Container registries to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for your Container Registry resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link.",
    "metadata": {
      "version": "1.0.0",
      "category": "Container Registry"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerRegistry/registries"
          },
          {
            "field": "Microsoft.ContainerRegistry/registries/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "audit",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.ContainerRegistry/registries/publicNetworkAccess",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a3701552-92ea-433e-9d17-33b7f1208fc9"
}
BuiltIn Container Registry False False n/a n/a Modify false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Container registries to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link.",
    "metadata": {
      "version": "1.0.0",
      "category": "Container Registry"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone id",
          "description": "A private DNS zone id to connect to the private endpoint. It should be linked to the private endpoint's associated VNET.",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "registry"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "containerRegistry-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e9585a95-5b8c-4d03-b193-dc7eb5ac4c32"
}
BuiltIn Container Registry False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Container registries with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your premium container registry resources, you can reduce data leakage risks. Learn more at: https://aka.ms/privateendpoints and https://aka.ms/acr/private-link.",
    "metadata": {
      "version": "1.0.0",
      "category": "Container Registry"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerRegistry/registries"
          },
          {
            "field": "Microsoft.ContainerRegistry/registries/sku.name",
            "equals": "Premium"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.ContainerRegistry/registries/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.ContainerRegistry/registries/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "registry"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d85c6833-7d33-4cf5-a915-aaa2de84405f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d85c6833-7d33-4cf5-a915-aaa2de84405f"
}
BuiltIn Container Registry False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Cosmos DB database accounts to disable local authentication",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "field": "Microsoft.DocumentDB/databaseAccounts/disableLocalAuth",
            "notEquals": true
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450"
          ],
          "conflictEffect": "audit",
          "operations": [
            {
              "condition": "[greaterOrEquals(requestContext().apiVersion, '2021-06-15')]",
              "operation": "addOrReplace",
              "field": "Microsoft.DocumentDB/databaseAccounts/disableLocalAuth",
              "value": true
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "dc2d41d1-4ab1-4666-a3e1-3d51c43e0049"
}
BuiltIn Cosmos DB False False n/a n/a Modify false 0 n/a false 0 n/a 'DocumentDB Account Contributor' (5bd9cd88-fe45-4216-938b-f97437e15450)
{
  "properties": {
    "displayName": "Configure CosmosDB accounts to disable public network access ",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "field": "Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
            "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450"
          ],
          "conflictEffect": "audit",
          "operations": [
            {
              "condition": "[greaterOrEquals(requestContext().apiVersion, '2021-01-15')]",
              "operation": "addOrReplace",
              "field": "Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "da69ba51-aaf1-41e5-8651-607cd0b37088"
}
BuiltIn Cosmos DB False False n/a n/a Modify false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c), 'DocumentDB Account Contributor' (5bd9cd88-fe45-4216-938b-f97437e15450)
{
  "properties": {
    "displayName": "Configure CosmosDB accounts to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private Dns Zone Id",
          "description": "The private DNS zone to deploy in a new private DNS zone group and link to the private endpoint",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "privateEndpointGroupId": {
        "type": "String",
        "metadata": {
          "displayName": "Private Endpoint Group Id",
          "description": "A group Id for the private endpoint"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "[parameters('privateEndpointGroupId')]"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "cosmosDB-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a63cc0bd-cda4-4178-b705-37dc439d3e0f"
}
BuiltIn Cosmos DB False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure CosmosDB accounts with private endpoints ",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your CosmosDB account, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "privateEndpointSubnetId",
          "description": "A subnet in the location",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "privateEndpointGroupId": {
        "type": "String",
        "metadata": {
          "displayName": "privateEndpointGroupId",
          "description": "A group Id for the private endpoint"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DocumentDB/databaseAccounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
            "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                },
                "privateEndpointGroupId": {
                  "value": "[parameters('privateEndpointGroupId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "String"
                  },
                  "serviceId": {
                    "type": "String"
                  },
                  "privateEndpointSubnetId": {
                    "type": "String"
                  },
                  "privateEndpointGroupId": {
                    "type": "String"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "privateEndpointGroupId": {
                            "type": "String"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "[parameters('privateEndpointGroupId')]"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "privateEndpointGroupId": {
                          "value": "[parameters('privateEndpointGroupId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b609e813-3156-4079-91fa-a8494c1471c4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b609e813-3156-4079-91fa-a8494c1471c4"
}
BuiltIn Cosmos DB False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c), 'DocumentDB Account Contributor' (5bd9cd88-fe45-4216-938b-f97437e15450)
{
  "properties": {
    "displayName": "Configure Data Factories to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link.",
    "metadata": {
      "version": "1.0.0",
      "category": "Data Factory"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DataFactory/factories"
          },
          {
            "field": "Microsoft.DataFactory/factories/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "audit",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5"
          ],
          "operations": [
            {
              "condition": "[greaterOrEquals(requestContext().apiVersion, '2018-06-01')]",
              "operation": "addOrReplace",
              "field": "Microsoft.DataFactory/factories/publicNetworkAccess",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "08b1442b-7789-4130-8506-4f99a97226a7"
}
BuiltIn Data Factory False False n/a n/a Modify false 0 n/a false 0 n/a 'Data Factory Contributor' (673868aa-7521-48a0-acc6-0f60742d39f5)
{
  "properties": {
    "displayName": "Configure Dependency agent on Azure Arc enabled Linux servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.HybridCompute/machines"
          },
          {
            "field": "Microsoft.HybridCompute/machines/osName",
            "equals": "linux"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.HybridCompute/machines/extensions",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.HybridCompute/machines/extensions/type",
                "equals": "DependencyAgentLinux"
              },
              {
                "field": "Microsoft.HybridCompute/machines/extensions/publisher",
                "equals": "Microsoft.Azure.Monitoring.DependencyAgent"
              },
              {
                "field": "Microsoft.HybridCompute/machines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vmExtensionName": "DependencyAgentLinux",
                  "vmExtensionPublisher": "Microsoft.Azure.Monitoring.DependencyAgent",
                  "vmExtensionType": "DependencyAgentLinux"
                },
                "resources": [
                  {
                    "name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
                    "type": "Microsoft.HybridCompute/machines/extensions",
                    "location": "[parameters('location')]",
                    "apiVersion": "2019-12-12",
                    "properties": {
                      "publisher": "[variables('vmExtensionPublisher')]",
                      "type": "[variables('vmExtensionType')]",
                      "settings": {}
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled DA extension for VM', ': ', parameters('vmName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/deacecc0-9f84-44d2-bb82-46f32d766d43",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "deacecc0-9f84-44d2-bb82-46f32d766d43"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a true 1 Enable Azure Monitor for VMs (/providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a) 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Configure Dependency agent on Azure Arc enabled Windows servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.HybridCompute/machines"
          },
          {
            "field": "Microsoft.HybridCompute/machines/osName",
            "equals": "windows"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.HybridCompute/machines/extensions",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.HybridCompute/machines/extensions/type",
                "equals": "DependencyAgentWindows"
              },
              {
                "field": "Microsoft.HybridCompute/machines/extensions/publisher",
                "equals": "Microsoft.Azure.Monitoring.DependencyAgent"
              },
              {
                "field": "Microsoft.HybridCompute/machines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "DaExtensionName": "DependencyAgentWindows",
                  "DaExtensionType": "DependencyAgentWindows"
                },
                "resources": [
                  {
                    "type": "Microsoft.HybridCompute/machines/extensions",
                    "apiVersion": "2020-03-11-preview",
                    "name": "[concat(parameters('vmName'), '/', variables('DaExtensionName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.Azure.Monitoring.DependencyAgent",
                      "type": "[variables('DaExtensionType')]",
                      "autoUpgradeMinorVersion": true,
                      "settings": {}
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled DA extension for VM', ': ', parameters('vmName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a true 1 Enable Azure Monitor for VMs (/providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a) 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Configure diagnostic settings for storage accounts to Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for storage accounts to stream resource logs to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "category": "Storage",
      "version": "1.3.0"
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Specify the Log Analytics workspace the storage account should be connected to.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "servicesToDeploy": {
        "type": "Array",
        "metadata": {
          "displayName": "Storage services to deploy",
          "description": "List of Storage services to deploy"
        },
        "allowedValues": [
          "storageAccounts",
          "blobServices",
          "fileServices",
          "tableServices",
          "queueServices"
        ],
        "defaultValue": [
          "storageAccounts",
          "blobServices",
          "fileServices",
          "tableServices",
          "queueServices"
        ]
      },
      "diagnosticsSettingNameToUse": {
        "type": "String",
        "metadata": {
          "displayName": "Setting name",
          "description": "Name of the diagnostic settings."
        },
        "defaultValue": "storageAccountsDiagnosticsLogsToWorkspace"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "StorageDelete": {
        "type": "String",
        "metadata": {
          "displayName": "StorageDelete - Enabled",
          "description": "Whether to stream StorageDelete logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "StorageWrite": {
        "type": "String",
        "metadata": {
          "displayName": "StorageWrite - Enabled",
          "description": "Whether to stream StorageWrite logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "StorageRead": {
        "type": "String",
        "metadata": {
          "displayName": "StorageRead - Enabled",
          "description": "Whether to stream StorageRead logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "Transaction": {
        "type": "String",
        "metadata": {
          "displayName": "Transaction - Enabled",
          "description": "Whether to stream Transaction logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "anyof": [
                  {
                    "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                    "equals": "True"
                  },
                  {
                    "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                    "equals": "True"
                  }
                ]
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "servicesToDeploy": {
                    "type": "array"
                  },
                  "diagnosticsSettingNameToUse": {
                    "type": "string"
                  },
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "Transaction": {
                    "type": "string"
                  },
                  "StorageRead": {
                    "type": "string"
                  },
                  "StorageWrite": {
                    "type": "string"
                  },
                  "StorageDelete": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "condition": "[contains(parameters('servicesToDeploy'), 'blobServices')]",
                    "type": "Microsoft.Storage/storageAccounts/blobServices/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/default/', 'Microsoft.Insights/', parameters('diagnosticsSettingNameToUse'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "Transaction",
                          "enabled": "[parameters('Transaction')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "StorageRead",
                          "enabled": "[parameters('StorageRead')]"
                        },
                        {
                          "category": "StorageWrite",
                          "enabled": "[parameters('StorageWrite')]"
                        },
                        {
                          "category": "StorageDelete",
                          "enabled": "[parameters('StorageDelete')]"
                        }
                      ]
                    }
                  },
                  {
                    "condition": "[contains(parameters('servicesToDeploy'), 'fileServices')]",
                    "type": "Microsoft.Storage/storageAccounts/fileServices/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/default/', 'Microsoft.Insights/', parameters('diagnosticsSettingNameToUse'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "Transaction",
                          "enabled": "[parameters('Transaction')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "StorageRead",
                          "enabled": "[parameters('StorageRead')]"
                        },
                        {
                          "category": "StorageWrite",
                          "enabled": "[parameters('StorageWrite')]"
                        },
                        {
                          "category": "StorageDelete",
                          "enabled": "[parameters('StorageDelete')]"
                        }
                      ]
                    }
                  },
                  {
                    "condition": "[contains(parameters('servicesToDeploy'), 'tableServices')]",
                    "type": "Microsoft.Storage/storageAccounts/tableServices/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/default/', 'Microsoft.Insights/', parameters('diagnosticsSettingNameToUse'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "Transaction",
                          "enabled": "[parameters('Transaction')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "StorageRead",
                          "enabled": "[parameters('StorageRead')]"
                        },
                        {
                          "category": "StorageWrite",
                          "enabled": "[parameters('StorageWrite')]"
                        },
                        {
                          "category": "StorageDelete",
                          "enabled": "[parameters('StorageDelete')]"
                        }
                      ]
                    }
                  },
                  {
                    "condition": "[contains(parameters('servicesToDeploy'), 'queueServices')]",
                    "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/default/', 'Microsoft.Insights/', parameters('diagnosticsSettingNameToUse'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "Transaction",
                          "enabled": "[parameters('Transaction')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "StorageRead",
                          "enabled": "[parameters('StorageRead')]"
                        },
                        {
                          "category": "StorageWrite",
                          "enabled": "[parameters('StorageWrite')]"
                        },
                        {
                          "category": "StorageDelete",
                          "enabled": "[parameters('StorageDelete')]"
                        }
                      ]
                    }
                  },
                  {
                    "condition": "[contains(parameters('servicesToDeploy'), 'storageAccounts')]",
                    "type": "Microsoft.Storage/storageAccounts/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('diagnosticsSettingNameToUse'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "Transaction",
                          "enabled": "[parameters('Transaction')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "diagnosticsSettingNameToUse": {
                  "value": "[parameters('diagnosticsSettingNameToUse')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "Transaction": {
                  "value": "[parameters('Transaction')]"
                },
                "StorageDelete": {
                  "value": "[parameters('StorageDelete')]"
                },
                "StorageWrite": {
                  "value": "[parameters('StorageWrite')]"
                },
                "StorageRead": {
                  "value": "[parameters('StorageRead')]"
                },
                "servicesToDeploy": {
                  "value": "[parameters('servicesToDeploy')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6f8f98a4-f108-47cb-8e98-91a0d85cd474"
}
BuiltIn Storage False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Configure disaster recovery on virtual machines by enabling replication",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. To learn more about disaster recovery, visit https://aka.ms/asr-doc.",
    "metadata": {
      "version": "1.2.0",
      "category": "Compute"
    },
    "parameters": {
      "sourceRegion": {
        "type": "String",
        "metadata": {
          "displayName": "Source Region",
          "description": "Region in which the virtual machine is originally deployed",
          "strongType": "location",
          "serviceName": "ASR"
        }
      },
      "targetRegion": {
        "type": "String",
        "metadata": {
          "displayName": "Target Region",
          "description": "Region to be used to deploy the virtual machine in case of a natural disaster",
          "strongType": "location",
          "serviceName": "ASR"
        }
      },
      "targetResourceGroupId": {
        "type": "String",
        "metadata": {
          "displayName": "Target Resource Group",
          "description": "Resource group to be used to create the virtual machine in the target region",
          "assignPermissions": true,
          "strongType": "Microsoft.Resources/resourceGroups",
          "serviceName": "ASR"
        }
      },
      "vaultResourceGroupId": {
        "type": "String",
        "metadata": {
          "displayName": "Vault Resource Group",
          "description": "The resource group containing the recovery services vault used for disaster recovery configurations",
          "assignPermissions": true,
          "strongType": "Microsoft.Resources/resourceGroups",
          "serviceName": "ASR"
        }
      },
      "vaultId": {
        "type": "String",
        "metadata": {
          "displayName": "Recovery Services Vault",
          "description": "ID of the recovery services vault to be used for disaster recovery configurations",
          "strongType": "Microsoft.RecoveryServices/vaults",
          "serviceName": "ASR"
        }
      },
      "recoveryNetworkId": {
        "type": "String",
        "metadata": {
          "displayName": "Recovery Virtual Network",
          "description": "Existing Recovery Virtual Network ID or name of the Virtual Network to be created in Target Region",
          "strongType": "Microsoft.Network/virtualNetworks",
          "serviceName": "ASR"
        },
        "defaultValue": ""
      },
      "targetZone": {
        "type": "String",
        "metadata": {
          "displayName": "Target Availability Zone",
          "description": "Availability zone in the designated target region to be used by virtual machines during disaster",
          "strongType": "zone",
          "serviceName": "ASR"
        },
        "defaultValue": ""
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "location",
            "equals": "[parameters('sourceRegion')]"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.vhd.uri",
            "exists": "false"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.encryptionSettings",
            "exists": "false"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "location",
                    "equals": "[parameters('targetRegion')]"
                  },
                  {
                    "field": "Microsoft.Compute/virtualMachines/zones",
                    "exists": "true"
                  },
                  {
                    "field": "Microsoft.Compute/virtualMachines/zones[*]",
                    "notEquals": "[parameters('targetZone')]"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "location",
                    "notEquals": "[parameters('targetRegion')]"
                  },
                  {
                    "field": "Microsoft.Compute/virtualMachines/zones",
                    "exists": "true"
                  },
                  {
                    "value": "[length(parameters('targetZone'))]",
                    "greater": 0
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "location",
                    "notEquals": "[parameters('targetRegion')]"
                  },
                  {
                    "field": "Microsoft.Compute/virtualMachines/zones",
                    "exists": "false"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Resources/links",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "name",
                "like": "ASR-Protect-*"
              },
              {
                "field": "Microsoft.Resources/links/targetId",
                "contains": "/replicationProtectedItems/"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "apiVersion": {
                    "type": "String"
                  },
                  "avSetId": {
                    "type": "String"
                  },
                  "dataDiskIds": {
                    "type": "object"
                  },
                  "osDiskId": {
                    "type": "String"
                  },
                  "ppgId": {
                    "type": "String"
                  },
                  "recoveryNetworkId": {
                    "type": "String"
                  },
                  "recoverySubscriptionId": {
                    "type": "String"
                  },
                  "sourceRegion": {
                    "type": "String"
                  },
                  "sourceResourceGroupName": {
                    "type": "String"
                  },
                  "targetRegion": {
                    "type": "String"
                  },
                  "targetResourceGroupName": {
                    "type": "String"
                  },
                  "targetZone": {
                    "type": "String"
                  },
                  "vaultName": {
                    "type": "String"
                  },
                  "vaultResourceGroupName": {
                    "type": "String"
                  },
                  "vmId": {
                    "type": "String"
                  },
                  "vmZones": {
                    "type": "Object"
                  }
                },
                "variables": {
                  "avSetApiVersion": "2019-03-01",
                  "deploymentApiVersion": "2017-05-10",
                  "vmApiVersion": "2019-07-01",
                  "ppgApiVersion": "2019-12-01",
                  "portalLinkPrefix": "https://portal.azure.com/#@microsoft.onmicrosoft.com/resource",
                  "schemaLink": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                  "defaultAvSet": "defaultAvSet-asr",
                  "defaultPPG": "defaultPPG-asr",
                  "eligibilityResultsDefault": "default",
                  "protectedItemSuffix": "-policy",
                  "recoveryAvSetPrefix": "RecoveryAvSet-",
                  "recoveryPPGPrefix": "RecoveryPPG-",
                  "avSetType": "Microsoft.Compute/availabilitySets",
                  "deploymentType": "Microsoft.Resources/deployments",
                  "networkType": "Microsoft.Network/virtualNetworks",
                  "ppgType": "Microsoft.Compute/proximityPlacementGroups",
                  "replicationEligibilityResultsType": "Microsoft.RecoveryServices/replicationEligibilityResults",
                  "storageType": "Microsoft.Storage/storageAccounts",
                  "vaultType": "Microsoft.RecoveryServices/vaults",
                  "avSetTemplateName": "[concat(variables('recoveryAvSetPrefix'), last(split(parameters('vmId'), '/')))]",
                  "avSetTemplateName64": "[if(greater(length(variables('avSetTemplateName')), 64), substring(variables('avSetTemplateName'), 0, 64), variables('avSetTemplateName'))]",
                  "ppgTemplateName": "[concat(variables('recoveryPPGPrefix'), last(split(parameters('vmId'), '/')))]",
                  "ppgTemplateName64": "[if(greater(length(variables('ppgTemplateName')), 64), substring(variables('ppgTemplateName'), 0, 64), variables('ppgTemplateName'))]",
                  "replicationProtectedIntentTemplateName": "[concat('ASR-', parameters('sourceResourceGroupName'), '-', last(split(parameters('vmId'), '/')))]",
                  "replicationProtectedIntentTemplateName64": "[if(greater(length(variables('replicationProtectedIntentTemplateName')), 64), substring(variables('replicationProtectedIntentTemplateName'), 0, 64), variables('replicationProtectedIntentTemplateName'))]",
                  "vmDataDiskIds": "[array(parameters('dataDiskIds').rawValue)]",
                  "vmDiskCount": "[add(length(variables('vmDataDiskIds')), int(1))]",
                  "diskIds": "[concat(array(parameters('osDiskId')), array(parameters('dataDiskIds').rawValue))]",
                  "vaultId": "[resourceId(parameters('vaultResourceGroupName'), variables('vaultType'), parameters('vaultName'))]",
                  "eligibilityResultsId": "[extensionResourceId(parameters('vmId'), variables('replicationEligibilityResultsType'), variables('eligibilityResultsDefault'))]",
                  "protectedIntentName": "[concat(parameters('vaultName'), '/', guid(resourceGroup().id, last(split(parameters('vmId'), '/'))), variables('protectedItemSuffix'))]",
                  "recoveryAvSetName": "[if(empty(parameters('avSetId')), variables('defaultAvSet'), concat(last(split(parameters('avSetId'), '/')), '-asr'))]",
                  "recoveryAvSetId": "[if(empty(parameters('avSetId')), '', resourceId(parameters('targetResourceGroupName'), variables('avSetType'), variables('recoveryAvSetName')))]",
                  "recoveryAvType": "[if(not(empty(parameters('avSetId'))), 'AvailabilitySet', if(greater(length(parameters('vmZones').rawValue), 0), 'AvailabilityZone', 'Single'))]",
                  "recoveryAvZone": "[if(greater(length(parameters('vmZones').rawValue), 0), parameters('targetZone'), '')]",
                  "recoveryPPGName": "[if(empty(parameters('ppgId')), variables('defaultPPG'), concat(last(split(parameters('ppgId'), '/')), '-asr'))]",
                  "recoveryPPGId": "[if(empty(parameters('ppgId')), '', resourceId(parameters('targetResourceGroupName'), variables('ppgType'), variables('recoveryPPGName')))]",
                  "targetResourceGroupId": "[concat('/subscriptions/', parameters('recoverySubscriptionId'), '/resourceGroups/', parameters('targetResourceGroupName'))]"
                },
                "resources": [
                  {
                    "condition": "[not(empty(parameters('ppgId')))]",
                    "apiVersion": "[variables('deploymentApiVersion')]",
                    "name": "[variables('ppgTemplateName64')]",
                    "type": "Microsoft.Resources/deployments",
                    "resourceGroup": "[parameters('targetResourceGroupName')]",
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "[variables('schemaLink')]",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "condition": "[not(empty(parameters('ppgId')))]",
                            "type": "[variables('ppgType')]",
                            "name": "[variables('recoveryPPGName')]",
                            "apiVersion": "[variables('ppgApiVersion')]",
                            "location": "[parameters('targetRegion')]",
                            "properties": {
                              "proximityPlacementGroupType": "[if(empty(parameters('ppgId')), 'Standard', reference(parameters('ppgId'), variables('ppgApiVersion')).proximityPlacementGroupType)]"
                            }
                          }
                        ]
                      },
                      "parameters": {}
                    }
                  },
                  {
                    "condition": "[not(empty(parameters('avSetId')))]",
                    "apiVersion": "[variables('deploymentApiVersion')]",
                    "name": "[variables('avSetTemplateName64')]",
                    "type": "Microsoft.Resources/deployments",
                    "resourceGroup": "[parameters('targetResourceGroupName')]",
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "[variables('schemaLink')]",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "condition": "[not(empty(parameters('avSetId')))]",
                            "type": "[variables('avSetType')]",
                            "sku": {
                              "name": "[if(empty(parameters('avSetId')), 'Aligned', reference(parameters('avSetId'), variables('avSetApiVersion'), 'Full').sku.name)]"
                            },
                            "name": "[variables('recoveryAvSetName')]",
                            "apiVersion": "[variables('avSetApiVersion')]",
                            "location": "[parameters('targetRegion')]",
                            "tags": {},
                            "properties": {
                              "platformUpdateDomainCount": "[if(empty(parameters('avSetId')), '5', reference(parameters('avSetId'), variables('avSetApiVersion')).platformUpdateDomainCount)]",
                              "platformFaultDomainCount": "[if(empty(parameters('avSetId')), '2', reference(parameters('avSetId'), variables('avSetApiVersion')).platformFaultDomainCount)]",
                              "proximityPlacementGroup": "[if(empty(parameters('ppgId')), json('null'), json(concat('{', '\"id\"', ':', '\"', variables('recoveryPPGId'), '\"', '}')))]"
                            }
                          }
                        ]
                      },
                      "parameters": {}
                    },
                    "dependsOn": [
                      "[variables('ppgTemplateName64')]"
                    ]
                  },
                  {
                    "apiVersion": "[variables('deploymentApiVersion')]",
                    "name": "[variables('replicationProtectedIntentTemplateName64')]",
                    "type": "Microsoft.Resources/deployments",
                    "resourceGroup": "[parameters('vaultResourceGroupName')]",
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "[variables('schemaLink')]",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "type": "Microsoft.RecoveryServices/vaults/replicationProtectionIntents",
                            "name": "[variables('protectedIntentName')]",
                            "apiVersion": "[parameters('apiVersion')]",
                            "properties": {
                              "providerSpecificDetails": {
                                "instanceType": "A2A",
                                "fabricObjectId": "[parameters('vmId')]",
                                "primaryLocation": "[parameters('sourceRegion')]",
                                "recoveryLocation": "[parameters('targetRegion')]",
                                "recoverySubscriptionId": "[parameters('recoverySubscriptionId')]",
                                "recoveryAvailabilityType": "[variables('recoveryAvType')]",
                                "recoveryAvailabilityZone": "[variables('recoveryAvZone')]",
                                "recoveryResourceGroupId": "[variables('targetResourceGroupId')]",
                                "recoveryAvailabilitySetCustomInput": "[if(empty(parameters('avSetId')), json('null'), json(concat('{', '\"resourceType\"', ':', '\"Existing\",', '\"recoveryAvailabilitySetId\"', ':', '\"', variables('recoveryAvSetId'), '\"', '}')))]",
                                "recoveryProximityPlacementGroupCustomInput": "[if(empty(parameters('ppgId')), json('null'), json(concat('{', '\"resourceType\"', ':', '\"Existing\",', '\"recoveryProximityPlacementGroupId\"', ':', '\"', variables('recoveryPPGId'), '\"', '}')))]",
                                "recoveryVirtualNetworkCustomInput": "[if(contains(parameters('recoveryNetworkId'), '/'),  json(concat('{', '\"resourceType\"', ':', '\"Existing\",', '\"recoveryVirtualNetworkId\"', ':', '\"', parameters('recoveryNetworkId'), '\"', '}')), json(concat('{', '\"resourceType\"', ':', '\"New\",', '\"recoveryVirtualNetworkName\"', ':', '\"', parameters('recoveryNetworkId'), '\"', '}')))]",
                                "vmDisks": [],
                                "copy": [
                                  {
                                    "name": "vmManagedDisks",
                                    "count": "[variables('vmDiskCount')]",
                                    "input": {
                                      "diskId": "[if(equals(copyIndex('vmManagedDisks'), int(0)), reference(parameters('vmId'), variables('vmApiVersion')).storageProfile.osDisk.managedDisk.Id, variables('vmDataDiskIds')[sub(copyIndex('vmManagedDisks'), int(1))])]",
                                      "recoveryResourceGroupCustomInput": {
                                        "resourceType": "Existing",
                                        "recoveryResourceGroupId": "[variables('targetResourceGroupId')]"
                                      }
                                    }
                                  }
                                ]
                              }
                            }
                          }
                        ],
                        "outputs": {
                          "vmName": {
                            "value": "[last(split(parameters('vmId'), '/'))]",
                            "type": "string"
                          },
                          "availabilitySetUrl": {
                            "value": "[if(empty(parameters('avSetId')), '', concat(variables('portalLinkPrefix'), variables('recoveryAvSetId')))]",
                            "type": "string"
                          },
                          "proximityPlacementGroupUrl": {
                            "value": "[if(empty(parameters('ppgId')), '', concat(variables('portalLinkPrefix'), variables('recoveryPPGId')))]",
                            "type": "string"
                          },
                          "replicationEligibilityResults": {
                            "value": "[reference(variables('eligibilityResultsId'), parameters('apiVersion'))]",
                            "type": "Object"
                          }
                        }
                      },
                      "parameters": {}
                    },
                    "dependsOn": [
                      "[variables('ppgTemplateName64')]",
                      "[variables('avSetTemplateName64')]"
                    ]
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "apiVersion": {
                  "value": "2018-07-10"
                },
                "avSetId": {
                  "value": "[field('Microsoft.Compute/virtualMachines/availabilitySet.id')]"
                },
                "dataDiskIds": {
                  "value": {
                    "rawValue": "[field('Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.id')]",
                    "emptyArray": []
                  }
                },
                "osDiskId": {
                  "value": "[field('Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.id')]"
                },
                "ppgId": {
                  "value": "[field('Microsoft.Compute/virtualMachines/proximityPlacementGroup.id')]"
                },
                "recoveryNetworkId": {
                  "value": "[parameters('recoveryNetworkId')]"
                },
                "recoverySubscriptionId": {
                  "value": "[subscription().subscriptionId]"
                },
                "sourceRegion": {
                  "value": "[parameters('sourceRegion')]"
                },
                "sourceResourceGroupName": {
                  "value": "[resourcegroup().Name]"
                },
                "targetRegion": {
                  "value": "[parameters('targetRegion')]"
                },
                "targetResourceGroupName": {
                  "value": "[last(split(parameters('targetResourceGroupId'), '/'))]"
                },
                "targetZone": {
                  "value": "[parameters('targetZone')]"
                },
                "vaultName": {
                  "value": "[last(split(parameters('vaultId'), '/'))]"
                },
                "vaultResourceGroupName": {
                  "value": "[last(split(parameters('vaultResourceGroupId'), '/'))]"
                },
                "vmId": {
                  "value": "[field('id')]"
                },
                "vmZones": {
                  "value": {
                    "rawValue": "[field('Microsoft.Compute/virtualMachines/zones')]",
                    "emptyArray": []
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ac34a73f-9fa5-4067-9247-a3ecae514468",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ac34a73f-9fa5-4067-9247-a3ecae514468"
}
BuiltIn Compute False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Owner' (8e3af657-a8ff-443c-a75c-2fe8c4bcb635)
{
  "properties": {
    "displayName": "Configure disk access resources to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc.",
    "metadata": {
      "version": "1.0.0",
      "category": "Compute"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone ID for managed disks",
          "description": "The private DNS zone name required for managed disks to resolve a private DNS Zone.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
              "where": {
                "allOf": [
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                    "contains": "Microsoft.Compute/diskAccesses"
                  },
                  {
                    "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                    "equals": "disks"
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "diskAccess-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bc05b96c-0b36-4ca9-82f0-5c53f96ce05a"
}
BuiltIn Compute False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure disk access resources with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to disk access resources, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/disksprivatelinksdoc.",
    "metadata": {
      "version": "1.0.0",
      "category": "Compute"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "location": {
        "type": "String",
        "metadata": {
          "displayName": "Location",
          "strongType": "location",
          "description": "All disk access resources in this region are validated and private endpoints are created in this region."
        }
      },
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet ID",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/diskAccesses"
          },
          {
            "field": "location",
            "equals": "[parameters('location')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/diskAccesses/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Compute/diskAccesses/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[concat('pe','-',field('name'))]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[parameters('name')]",
                    "type": "Microsoft.Network/privateEndpoints",
                    "apiVersion": "2019-11-01",
                    "location": "[parameters('location')]",
                    "tags": {},
                    "properties": {
                      "subnet": {
                        "id": "[parameters('privateEndpointSubnetId')]"
                      },
                      "privateLinkServiceConnections": [
                        {
                          "name": "[parameters('name')]",
                          "properties": {
                            "privateLinkServiceId": "[parameters('serviceId')]",
                            "groupIds": [
                              "disks"
                            ]
                          }
                        }
                      ],
                      "manualPrivateLinkServiceConnections": []
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/582bd7a6-a5f6-4dc6-b9dc-9cb81fe0d4c5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "582bd7a6-a5f6-4dc6-b9dc-9cb81fe0d4c5"
}
BuiltIn Compute False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Event Hub namespaces to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Event Hub namespaces. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service.",
    "metadata": {
      "version": "1.0.0",
      "category": "Event Hub"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone ID",
          "description": "Specifies the private DNS zone to use to configure private endpoint",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "namespace"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "namespace-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ed66d4f5-8220-45dc-ab4a-20d1749c74e6"
}
BuiltIn Event Hub False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Event Hub namespaces with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Event Hub namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service.",
    "metadata": {
      "version": "1.0.0",
      "category": "Event Hub"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "Specifies the subnet to use to configure private endpoint",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.EventHub/namespaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.EventHub/namespaces/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.EventHub/namespaces/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "namespace"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/91678b7c-d721-4fc5-b179-3cdf74e96b1c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "91678b7c-d721-4fc5-b179-3cdf74e96b1c"
}
BuiltIn Event Hub False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'Azure Event Hubs Data Owner' (f526a384-b230-433a-b45c-95f59c4a2dec)
{
  "properties": {
    "displayName": "Configure IoT Hub device provisioning instances to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to an IoT Hub device provisioning service instance. Learn more at: https://aka.ms/iotdpsvnet.",
    "metadata": {
      "version": "1.0.0",
      "category": "Internet of Things"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone ID",
          "description": "Specifies the private DNS zone to use to configure private endpoint",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "iotDps"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "privatelink.azure-devices-provisioning.net",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "aaa64d2d-2fa3-45e5-b332-0b031b9b30e8"
}
BuiltIn Internet of Things False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure IoT Hub device provisioning service instances to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for your IoT Hub device provisioning instance so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/iotdpsvnet.",
    "metadata": {
      "version": "1.0.0",
      "category": "Internet of Things"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Devices/provisioningServices"
          },
          {
            "field": "Microsoft.Devices/provisioningServices/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "conflictEffect": "audit",
          "operations": [
            {
              "condition": "[greaterOrEquals(requestContext().apiVersion, '2020-03-01')]",
              "operation": "addOrReplace",
              "field": "Microsoft.Devices/provisioningServices/publicNetworkAccess",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/859dfc91-ea35-43a6-8256-31271c363794",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "859dfc91-ea35-43a6-8256-31271c363794"
}
BuiltIn Internet of Things False False n/a n/a Modify false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure IoT Hub device provisioning service instances with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to IoT Hub device provisioning service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/iotdpsvnet.",
    "metadata": {
      "version": "1.0.0",
      "category": "Internet of Things"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Devices/provisioningServices"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Devices/provisioningServices",
          "existenceCondition": {
            "count": {
              "field": "Microsoft.Devices/provisioningServices/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.Devices/provisioningServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "greaterOrEquals": 1
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "iotDps"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9b75ea5b-c796-4c99-aaaf-21c204daac43",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9b75ea5b-c796-4c99-aaaf-21c204daac43"
}
BuiltIn Internet of Things False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy.",
    "metadata": {
      "version": "1.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "configurationResourceName": {
        "type": "String",
        "metadata": {
          "displayName": "Configuration resource name",
          "description": "The name for the sourceControlConfiguration.  Learn more about setting up GitOps configuration: https://aka.ms/AzureArcK8sUsingGitOps."
        }
      },
      "operatorInstanceName": {
        "type": "String",
        "metadata": {
          "displayName": "Operator instance name",
          "description": "Name used in the operator instances. Maximum of 23 lowercase alphanumeric characters or hyphen. Must start and end with an alphanumeric character."
        }
      },
      "operatorNamespace": {
        "type": "String",
        "metadata": {
          "displayName": "Operator namespace",
          "description": "Namespace within which the operators will be installed. Maximum of 23 lowercase alphanumeric characters or hyphen. Must start and end with an alphanumeric character."
        }
      },
      "operatorScope": {
        "type": "String",
        "metadata": {
          "displayName": "Operator scope",
          "description": "The permission scope for the operator. Possible values are 'cluster' (full access) or 'namespace' (restricted access)."
        },
        "allowedValues": [
          "cluster",
          "namespace"
        ],
        "defaultValue": "namespace"
      },
      "operatorType": {
        "type": "String",
        "metadata": {
          "displayName": "Operator type",
          "description": "The type of operator to install. Currently, 'Flux' is supported."
        },
        "allowedValues": [
          "Flux"
        ],
        "defaultValue": "Flux"
      },
      "operatorParams": {
        "type": "String",
        "metadata": {
          "displayName": "Operator parameters",
          "description": "Parameters to set on the Flux operator, separated by spaces.  For example, --git-readonly --sync-garbage-collection.  Learn more: http://aka.ms/AzureArcK8sFluxOperatorParams."
        },
        "defaultValue": ""
      },
      "repositoryUrl": {
        "type": "String",
        "metadata": {
          "displayName": "Repository Url",
          "description": "The URL for the source control repository. Learn more about URL formats: https://aka.ms/GitOpsRepoUrlParameters"
        }
      },
      "enableHelmOperator": {
        "type": "String",
        "metadata": {
          "displayName": "Enable Helm",
          "description": "Indicate whether to enable Helm for this instance of Flux. Learn more: http://aka.ms/AzureArcK8sGitOpsWithHelm."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "true"
      },
      "chartVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Helm chart version for installing Flux Helm",
          "description": "The version of the Helm chart for installing Flux Helm. For example, 1.2.0"
        },
        "defaultValue": "1.2.0"
      },
      "chartValues": {
        "type": "String",
        "metadata": {
          "displayName": "Helm chart parameters for installing Flux Helm",
          "description": "Parameters for the Helm chart for installing Flux Helm, separated by spaces. For example, --set helm.versions=v3"
        },
        "defaultValue": ""
      },
      "keyVaultResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Key Vault resource id",
          "description": "The resource id for the Key Vault that holds the SSH or HTTPS secrets. For example: '/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/'",
          "strongType": "Microsoft.KeyVault/vaults",
          "assignPermissions": "true"
        },
        "defaultValue": ""
      },
      "httpsUserKeyVaultSecretName": {
        "type": "String",
        "metadata": {
          "displayName": "HTTPS user name Key Vault secret",
          "description": "The name of the Key Vault secret that holds the base64-encoded HTTPS user name."
        },
        "defaultValue": ""
      },
      "httpsKeyKeyVaultSecretName": {
        "type": "String",
        "metadata": {
          "displayName": "HTTPS key Key Vault secret",
          "description": "The name of the Key Vault secret that holds the base64-encoded HTTPS key."
        },
        "defaultValue": ""
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "auditIfNotExists",
          "disabled"
        ],
        "defaultValue": "deployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.KubernetesConfiguration/sourceControlConfigurations",
          "name": "[parameters('configurationResourceName')]",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deploymentScope": "ResourceGroup",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/operatorParams",
                "in": [
                  "[parameters('operatorParams')]",
                  "[concat('--git-readonly ',parameters('operatorParams'))]"
                ]
              },
              {
                "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/repositoryUrl",
                "equals": "[parameters('repositoryUrl')]"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator",
                    "equals": "false"
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator",
                        "equals": "true"
                      },
                      {
                        "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartVersion",
                        "equals": "[parameters('chartVersion')]"
                      },
                      {
                        "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartValues",
                        "equals": "[parameters('chartValues')]"
                      }
                    ]
                  }
                ]
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "configurationResourceName": {
                    "type": "string"
                  },
                  "clusterLocation": {
                    "type": "string"
                  },
                  "clusterName": {
                    "type": "string"
                  },
                  "operatorInstanceName": {
                    "type": "string"
                  },
                  "operatorNamespace": {
                    "type": "string"
                  },
                  "operatorScope": {
                    "type": "string"
                  },
                  "operatorType": {
                    "type": "string"
                  },
                  "operatorParams": {
                    "type": "string"
                  },
                  "repositoryUrl": {
                    "type": "string"
                  },
                  "enableHelmOperator": {
                    "type": "string"
                  },
                  "chartVersion": {
                    "type": "string"
                  },
                  "chartValues": {
                    "type": "string"
                  },
                  "httpsUser": {
                    "type": "securestring"
                  },
                  "httpsKey": {
                    "type": "securestring"
                  },
                  "clusterResourceType": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[contains(toLower(parameters('clusterResourceType')), toLower('connectedclusters'))]",
                    "type": "Microsoft.Kubernetes/connectedClusters/providers/sourceControlConfigurations",
                    "name": "[concat(parameters('clusterName'), '/Microsoft.KubernetesConfiguration/', parameters('configurationResourceName'))]",
                    "apiVersion": "2021-03-01",
                    "properties": {
                      "operatorInstanceName": "[parameters('operatorInstanceName')]",
                      "operatorNamespace": "[parameters('operatorNamespace')]",
                      "operatorScope": "[parameters('operatorScope')]",
                      "operatorType": "[parameters('operatorType')]",
                      "operatorParams": "[parameters('operatorParams')]",
                      "repositoryUrl": "[parameters('repositoryUrl')]",
                      "enableHelmOperator": "[parameters('enableHelmOperator')]",
                      "helmOperatorProperties": {
                        "chartVersion": "[parameters('chartVersion')]",
                        "chartValues": "[parameters('chartValues')]"
                      },
                      "configurationProtectedSettings": {
                        "httpsUser": "[parameters('httpsUser')]",
                        "httpsKey": "[parameters('httpsKey')]"
                      }
                    }
                  },
                  {
                    "condition": "[contains(toLower(parameters('clusterResourceType')), toLower('managedclusters'))]",
                    "type": "Microsoft.ContainerService/managedClusters/providers/sourceControlConfigurations",
                    "name": "[concat(parameters('clusterName'), '/Microsoft.KubernetesConfiguration/', parameters('configurationResourceName'))]",
                    "apiVersion": "2021-03-01",
                    "properties": {
                      "operatorInstanceName": "[parameters('operatorInstanceName')]",
                      "operatorNamespace": "[parameters('operatorNamespace')]",
                      "operatorScope": "[parameters('operatorScope')]",
                      "operatorType": "[parameters('operatorType')]",
                      "operatorParams": "[parameters('operatorParams')]",
                      "repositoryUrl": "[parameters('repositoryUrl')]",
                      "enableHelmOperator": "[parameters('enableHelmOperator')]",
                      "helmOperatorProperties": {
                        "chartVersion": "[parameters('chartVersion')]",
                        "chartValues": "[parameters('chartValues')]"
                      },
                      "configurationProtectedSettings": {
                        "httpsUser": "[parameters('httpsUser')]",
                        "httpsKey": "[parameters('httpsKey')]"
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "clusterLocation": {
                  "value": "[field('location')]"
                },
                "clusterName": {
                  "value": "[field('name')]"
                },
                "configurationResourceName": {
                  "value": "[parameters('configurationResourceName')]"
                },
                "operatorInstanceName": {
                  "value": "[parameters('operatorInstanceName')]"
                },
                "operatorNamespace": {
                  "value": "[parameters('operatorNamespace')]"
                },
                "operatorScope": {
                  "value": "[parameters('operatorScope')]"
                },
                "operatorType": {
                  "value": "[parameters('operatorType')]"
                },
                "operatorParams": {
                  "value": "[parameters('operatorParams')]"
                },
                "repositoryUrl": {
                  "value": "[parameters('repositoryUrl')]"
                },
                "enableHelmOperator": {
                  "value": "[parameters('enableHelmOperator')]"
                },
                "chartVersion": {
                  "value": "[parameters('chartVersion')]"
                },
                "chartValues": {
                  "value": "[parameters('chartValues')]"
                },
                "httpsUser": {
                  "reference": {
                    "keyVault": {
                      "id": "[parameters('keyVaultResourceId')]"
                    },
                    "secretName": "[parameters('httpsUserKeyVaultSecretName')]"
                  }
                },
                "httpsKey": {
                  "reference": {
                    "keyVault": {
                      "id": "[parameters('keyVaultResourceId')]"
                    },
                    "secretName": "[parameters('httpsKeyKeyVaultSecretName')]"
                  }
                },
                "clusterResourceType": {
                  "value": "[field('type')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a6f560f4-f582-4b67-b123-a37dcd1bf7ea",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a6f560f4-f582-4b67-b123-a37dcd1bf7ea"
}
BuiltIn Kubernetes False False n/a n/a deployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Kubernetes clusters with specified GitOps configuration using no secrets",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy.",
    "metadata": {
      "version": "1.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "configurationResourceName": {
        "type": "String",
        "metadata": {
          "displayName": "Configuration resource name",
          "description": "The name for the sourceControlConfiguration.  Learn more about setting up GitOps configuration: https://aka.ms/AzureArcK8sUsingGitOps."
        }
      },
      "operatorInstanceName": {
        "type": "String",
        "metadata": {
          "displayName": "Operator instance name",
          "description": "Name used in the operator instances. Maximum of 23 lowercase alphanumeric characters or hyphen. Must start and end with an alphanumeric character."
        }
      },
      "operatorNamespace": {
        "type": "String",
        "metadata": {
          "displayName": "Operator namespace",
          "description": "Namespace within which the operators will be installed. Maximum of 23 lowercase alphanumeric characters or hyphen. Must start and end with an alphanumeric character."
        }
      },
      "operatorScope": {
        "type": "String",
        "metadata": {
          "displayName": "Operator scope",
          "description": "The permission scope for the operator. Possible values are 'cluster' (full access) or 'namespace' (restricted access)."
        },
        "allowedValues": [
          "cluster",
          "namespace"
        ],
        "defaultValue": "namespace"
      },
      "operatorType": {
        "type": "String",
        "metadata": {
          "displayName": "Operator type",
          "description": "The type of operator to install. Currently, 'Flux' is supported."
        },
        "allowedValues": [
          "Flux"
        ],
        "defaultValue": "Flux"
      },
      "operatorParams": {
        "type": "String",
        "metadata": {
          "displayName": "Operator parameters",
          "description": "Parameters to set on the Flux operator, separated by spaces.  For example, --git-readonly --sync-garbage-collection.  Learn more: http://aka.ms/AzureArcK8sFluxOperatorParams."
        },
        "defaultValue": ""
      },
      "repositoryUrl": {
        "type": "String",
        "metadata": {
          "displayName": "Repository Url",
          "description": "The URL for the source control repository. Learn more about URL formats: https://aka.ms/GitOpsRepoUrlParameters"
        }
      },
      "enableHelmOperator": {
        "type": "String",
        "metadata": {
          "displayName": "Enable Helm",
          "description": "Indicate whether to enable Helm for this instance of Flux. Learn more: http://aka.ms/AzureArcK8sGitOpsWithHelm."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "true"
      },
      "chartVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Helm chart version for installing Flux Helm",
          "description": "The version of the Helm chart for installing Flux Helm. For example, 1.2.0"
        },
        "defaultValue": "1.2.0"
      },
      "chartValues": {
        "type": "String",
        "metadata": {
          "displayName": "Helm chart parameters for installing Flux Helm",
          "description": "Parameters for the Helm chart for installing Flux Helm, separated by spaces. For example, --set helm.versions=v3"
        },
        "defaultValue": ""
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "auditIfNotExists",
          "disabled"
        ],
        "defaultValue": "deployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.KubernetesConfiguration/sourceControlConfigurations",
          "name": "[parameters('configurationResourceName')]",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deploymentScope": "ResourceGroup",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/operatorParams",
                "in": [
                  "[parameters('operatorParams')]",
                  "[concat('--git-readonly ',parameters('operatorParams'))]"
                ]
              },
              {
                "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/repositoryUrl",
                "equals": "[parameters('repositoryUrl')]"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator",
                    "equals": "false"
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator",
                        "equals": "true"
                      },
                      {
                        "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartVersion",
                        "equals": "[parameters('chartVersion')]"
                      },
                      {
                        "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartValues",
                        "equals": "[parameters('chartValues')]"
                      }
                    ]
                  }
                ]
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "configurationResourceName": {
                    "type": "string"
                  },
                  "clusterLocation": {
                    "type": "string"
                  },
                  "clusterName": {
                    "type": "string"
                  },
                  "operatorInstanceName": {
                    "type": "string"
                  },
                  "operatorNamespace": {
                    "type": "string"
                  },
                  "operatorScope": {
                    "type": "string"
                  },
                  "operatorType": {
                    "type": "string"
                  },
                  "operatorParams": {
                    "type": "string"
                  },
                  "repositoryUrl": {
                    "type": "string"
                  },
                  "enableHelmOperator": {
                    "type": "string"
                  },
                  "chartVersion": {
                    "type": "string"
                  },
                  "chartValues": {
                    "type": "string"
                  },
                  "clusterResourceType": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[contains(toLower(parameters('clusterResourceType')), toLower('connectedclusters'))]",
                    "type": "Microsoft.Kubernetes/connectedClusters/providers/sourceControlConfigurations",
                    "name": "[concat(parameters('clusterName'), '/Microsoft.KubernetesConfiguration/', parameters('configurationResourceName'))]",
                    "apiVersion": "2021-03-01",
                    "properties": {
                      "operatorInstanceName": "[parameters('operatorInstanceName')]",
                      "operatorNamespace": "[parameters('operatorNamespace')]",
                      "operatorScope": "[parameters('operatorScope')]",
                      "operatorType": "[parameters('operatorType')]",
                      "operatorParams": "[parameters('operatorParams')]",
                      "repositoryUrl": "[parameters('repositoryUrl')]",
                      "enableHelmOperator": "[parameters('enableHelmOperator')]",
                      "helmOperatorProperties": {
                        "chartVersion": "[parameters('chartVersion')]",
                        "chartValues": "[parameters('chartValues')]"
                      }
                    }
                  },
                  {
                    "condition": "[contains(toLower(parameters('clusterResourceType')), toLower('managedclusters'))]",
                    "type": "Microsoft.ContainerService/managedClusters/providers/sourceControlConfigurations",
                    "name": "[concat(parameters('clusterName'), '/Microsoft.KubernetesConfiguration/', parameters('configurationResourceName'))]",
                    "apiVersion": "2021-03-01",
                    "properties": {
                      "operatorInstanceName": "[parameters('operatorInstanceName')]",
                      "operatorNamespace": "[parameters('operatorNamespace')]",
                      "operatorScope": "[parameters('operatorScope')]",
                      "operatorType": "[parameters('operatorType')]",
                      "operatorParams": "[parameters('operatorParams')]",
                      "repositoryUrl": "[parameters('repositoryUrl')]",
                      "enableHelmOperator": "[parameters('enableHelmOperator')]",
                      "helmOperatorProperties": {
                        "chartVersion": "[parameters('chartVersion')]",
                        "chartValues": "[parameters('chartValues')]"
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "clusterLocation": {
                  "value": "[field('location')]"
                },
                "clusterName": {
                  "value": "[field('name')]"
                },
                "configurationResourceName": {
                  "value": "[parameters('configurationResourceName')]"
                },
                "operatorInstanceName": {
                  "value": "[parameters('operatorInstanceName')]"
                },
                "operatorNamespace": {
                  "value": "[parameters('operatorNamespace')]"
                },
                "operatorScope": {
                  "value": "[parameters('operatorScope')]"
                },
                "operatorType": {
                  "value": "[parameters('operatorType')]"
                },
                "operatorParams": {
                  "value": "[parameters('operatorParams')]"
                },
                "repositoryUrl": {
                  "value": "[parameters('repositoryUrl')]"
                },
                "enableHelmOperator": {
                  "value": "[parameters('enableHelmOperator')]"
                },
                "chartVersion": {
                  "value": "[parameters('chartVersion')]"
                },
                "chartValues": {
                  "value": "[parameters('chartValues')]"
                },
                "clusterResourceType": {
                  "value": "[field('type')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1d61c4d2-aef2-432b-87fc-7f96b019b7e1",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1d61c4d2-aef2-432b-87fc-7f96b019b7e1"
}
BuiltIn Kubernetes False False n/a n/a deployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Kubernetes clusters with specified GitOps configuration using SSH secrets",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy.",
    "metadata": {
      "version": "1.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "configurationResourceName": {
        "type": "String",
        "metadata": {
          "displayName": "Configuration resource name",
          "description": "The name for the sourceControlConfiguration.  Learn more about setting up GitOps configuration: https://aka.ms/AzureArcK8sUsingGitOps."
        }
      },
      "operatorInstanceName": {
        "type": "String",
        "metadata": {
          "displayName": "Operator instance name",
          "description": "Name used in the operator instances. Maximum of 23 lowercase alphanumeric characters or hyphen. Must start and end with an alphanumeric character."
        }
      },
      "operatorNamespace": {
        "type": "String",
        "metadata": {
          "displayName": "Operator namespace",
          "description": "Namespace within which the operators will be installed. Maximum of 23 lowercase alphanumeric characters or hyphen. Must start and end with an alphanumeric character."
        }
      },
      "operatorScope": {
        "type": "String",
        "metadata": {
          "displayName": "Operator scope",
          "description": "The permission scope for the operator. Possible values are 'cluster' (full access) or 'namespace' (restricted access)."
        },
        "allowedValues": [
          "cluster",
          "namespace"
        ],
        "defaultValue": "namespace"
      },
      "operatorType": {
        "type": "String",
        "metadata": {
          "displayName": "Operator type",
          "description": "The type of operator to install. Currently, 'Flux' is supported."
        },
        "allowedValues": [
          "Flux"
        ],
        "defaultValue": "Flux"
      },
      "operatorParams": {
        "type": "String",
        "metadata": {
          "displayName": "Operator parameters",
          "description": "Parameters to set on the Flux operator, separated by spaces.  For example, --git-readonly --sync-garbage-collection.  Learn more: http://aka.ms/AzureArcK8sFluxOperatorParams."
        },
        "defaultValue": ""
      },
      "repositoryUrl": {
        "type": "String",
        "metadata": {
          "displayName": "Repository Url",
          "description": "The URL for the source control repository. Learn more about URL formats: https://aka.ms/GitOpsRepoUrlParameters"
        }
      },
      "enableHelmOperator": {
        "type": "String",
        "metadata": {
          "displayName": "Enable Helm",
          "description": "Indicate whether to enable Helm for this instance of Flux. Learn more: http://aka.ms/AzureArcK8sGitOpsWithHelm."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "true"
      },
      "chartVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Helm chart version for installing Flux Helm",
          "description": "The version of the Helm chart for installing Flux Helm. For example, 1.2.0"
        },
        "defaultValue": "1.2.0"
      },
      "chartValues": {
        "type": "String",
        "metadata": {
          "displayName": "Helm chart parameters for installing Flux Helm",
          "description": "Parameters for the Helm chart for installing Flux Helm, separated by spaces. For example, --set helm.versions=v3"
        },
        "defaultValue": ""
      },
      "sshKnownHostsContents": {
        "type": "String",
        "metadata": {
          "displayName": "Base64-encoded known hosts content",
          "description": "The base64-encoded known hosts content."
        },
        "defaultValue": ""
      },
      "keyVaultResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Key Vault resource id",
          "description": "The resource id for the Key Vault that holds the SSH or HTTPS secrets. For example: '/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/'",
          "strongType": "Microsoft.KeyVault/vaults",
          "assignPermissions": "true"
        },
        "defaultValue": ""
      },
      "sshPrivateKeyKeyVaultSecretName": {
        "type": "String",
        "metadata": {
          "displayName": "SSH private key Key Vault secret",
          "description": "The name of the Key Vault secret that holds the base64-encoded SSH private key."
        },
        "defaultValue": ""
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "auditIfNotExists",
          "disabled"
        ],
        "defaultValue": "deployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.KubernetesConfiguration/sourceControlConfigurations",
          "name": "[parameters('configurationResourceName')]",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deploymentScope": "ResourceGroup",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/operatorParams",
                "in": [
                  "[parameters('operatorParams')]",
                  "[concat('--git-readonly ',parameters('operatorParams'))]"
                ]
              },
              {
                "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/repositoryUrl",
                "equals": "[parameters('repositoryUrl')]"
              },
              {
                "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/sshKnownHostsContents",
                "equals": "[parameters('sshKnownHostsContents')]"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator",
                    "equals": "false"
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator",
                        "equals": "true"
                      },
                      {
                        "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartVersion",
                        "equals": "[parameters('chartVersion')]"
                      },
                      {
                        "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartValues",
                        "equals": "[parameters('chartValues')]"
                      }
                    ]
                  }
                ]
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "configurationResourceName": {
                    "type": "string"
                  },
                  "clusterLocation": {
                    "type": "string"
                  },
                  "clusterName": {
                    "type": "string"
                  },
                  "operatorInstanceName": {
                    "type": "string"
                  },
                  "operatorNamespace": {
                    "type": "string"
                  },
                  "operatorScope": {
                    "type": "string"
                  },
                  "operatorType": {
                    "type": "string"
                  },
                  "operatorParams": {
                    "type": "string"
                  },
                  "repositoryUrl": {
                    "type": "string"
                  },
                  "enableHelmOperator": {
                    "type": "string"
                  },
                  "chartVersion": {
                    "type": "string"
                  },
                  "chartValues": {
                    "type": "string"
                  },
                  "sshKnownHostsContents": {
                    "type": "string"
                  },
                  "sshPrivateKey": {
                    "type": "securestring"
                  },
                  "clusterResourceType": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[contains(toLower(parameters('clusterResourceType')), toLower('connectedclusters'))]",
                    "type": "Microsoft.Kubernetes/connectedClusters/providers/sourceControlConfigurations",
                    "name": "[concat(parameters('clusterName'), '/Microsoft.KubernetesConfiguration/', parameters('configurationResourceName'))]",
                    "apiVersion": "2021-03-01",
                    "properties": {
                      "operatorInstanceName": "[parameters('operatorInstanceName')]",
                      "operatorNamespace": "[parameters('operatorNamespace')]",
                      "operatorScope": "[parameters('operatorScope')]",
                      "operatorType": "[parameters('operatorType')]",
                      "operatorParams": "[parameters('operatorParams')]",
                      "repositoryUrl": "[parameters('repositoryUrl')]",
                      "enableHelmOperator": "[parameters('enableHelmOperator')]",
                      "helmOperatorProperties": {
                        "chartVersion": "[parameters('chartVersion')]",
                        "chartValues": "[parameters('chartValues')]"
                      },
                      "sshKnownHostsContents": "[parameters('sshKnownHostsContents')]",
                      "configurationProtectedSettings": {
                        "sshPrivateKey": "[parameters('sshPrivateKey')]"
                      }
                    }
                  },
                  {
                    "condition": "[contains(toLower(parameters('clusterResourceType')), toLower('managedclusters'))]",
                    "type": "Microsoft.ContainerService/managedClusters/providers/sourceControlConfigurations",
                    "name": "[concat(parameters('clusterName'), '/Microsoft.KubernetesConfiguration/', parameters('configurationResourceName'))]",
                    "apiVersion": "2021-03-01",
                    "properties": {
                      "operatorInstanceName": "[parameters('operatorInstanceName')]",
                      "operatorNamespace": "[parameters('operatorNamespace')]",
                      "operatorScope": "[parameters('operatorScope')]",
                      "operatorType": "[parameters('operatorType')]",
                      "operatorParams": "[parameters('operatorParams')]",
                      "repositoryUrl": "[parameters('repositoryUrl')]",
                      "enableHelmOperator": "[parameters('enableHelmOperator')]",
                      "helmOperatorProperties": {
                        "chartVersion": "[parameters('chartVersion')]",
                        "chartValues": "[parameters('chartValues')]"
                      },
                      "sshKnownHostsContents": "[parameters('sshKnownHostsContents')]",
                      "configurationProtectedSettings": {
                        "sshPrivateKey": "[parameters('sshPrivateKey')]"
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "clusterLocation": {
                  "value": "[field('location')]"
                },
                "clusterName": {
                  "value": "[field('name')]"
                },
                "configurationResourceName": {
                  "value": "[parameters('configurationResourceName')]"
                },
                "operatorInstanceName": {
                  "value": "[parameters('operatorInstanceName')]"
                },
                "operatorNamespace": {
                  "value": "[parameters('operatorNamespace')]"
                },
                "operatorScope": {
                  "value": "[parameters('operatorScope')]"
                },
                "operatorType": {
                  "value": "[parameters('operatorType')]"
                },
                "operatorParams": {
                  "value": "[parameters('operatorParams')]"
                },
                "repositoryUrl": {
                  "value": "[parameters('repositoryUrl')]"
                },
                "enableHelmOperator": {
                  "value": "[parameters('enableHelmOperator')]"
                },
                "chartVersion": {
                  "value": "[parameters('chartVersion')]"
                },
                "chartValues": {
                  "value": "[parameters('chartValues')]"
                },
                "sshKnownHostsContents": {
                  "value": "[parameters('sshKnownHostsContents')]"
                },
                "sshPrivateKey": {
                  "reference": {
                    "keyVault": {
                      "id": "[parameters('keyVaultResourceId')]"
                    },
                    "secretName": "[parameters('sshPrivateKeyKeyVaultSecretName')]"
                  }
                },
                "clusterResourceType": {
                  "value": "[field('type')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c050047b-b21b-4822-8a2d-c1e37c3c0c6a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c050047b-b21b-4822-8a2d-c1e37c3c0c6a"
}
BuiltIn Kubernetes False False n/a n/a deployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Linux virtual machines with Azure Monitor Agent",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy Azure Monitor Agent for Linux virtual machines if the virtual machine image (OS) and location are in the list defined and the agent is not installed. The list of OS images is updated over time as support is increased.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "listOfLinuxImageIdToInclude": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Linux OS to add to scope",
          "description": "Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "location",
            "in": [
              "australiacentral",
              "australiaeast",
              "australiasoutheast",
              "brazilsouth",
              "canadacentral",
              "canadaeast",
              "centralindia",
              "centralus",
              "eastasia",
              "eastus2euap",
              "eastus",
              "eastus2",
              "francecentral",
              "germanywestcentral",
              "japaneast",
              "japanwest",
              "jioindiawest",
              "koreacentral",
              "koreasouth",
              "northcentralus",
              "northeurope",
              "norwayeast",
              "southafricanorth",
              "southcentralus",
              "southeastasia",
              "southindia",
              "switzerlandnorth",
              "uaenorth",
              "uksouth",
              "ukwest",
              "westcentralus",
              "westeurope",
              "westindia",
              "westus",
              "westus2"
            ]
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imageId",
                "in": "[parameters('listOfLinuxImageIdToInclude')]"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "8*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "SLES",
                      "SLES-HPC",
                      "SLES-HPC-Priority",
                      "SLES-SAP",
                      "SLES-SAP-BYOS",
                      "SLES-Priority",
                      "SLES-BYOS",
                      "SLES-SAPCAL",
                      "SLES-Standard"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "15*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "14.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "16.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "18.04*LTS"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "0001-com-ubuntu-server-focal"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "20_04-lts*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Oracle"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Oracle-Linux"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "8*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "CentOS",
                      "Centos-LVM",
                      "CentOS-SRIOV"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "8*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "like": "7*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "credativ"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "debian"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "8"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "9"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Debian"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "debian-10"
                    ]
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "like": "10"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "AzureMonitorLinuxAgent"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Monitor"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vmExtensionName": "AzureMonitorLinuxAgent",
                  "vmExtensionPublisher": "Microsoft.Azure.Monitor",
                  "vmExtensionType": "AzureMonitorLinuxAgent",
                  "vmExtensionTypeHandlerVersion": "1.5"
                },
                "resources": [
                  {
                    "name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "apiVersion": "2019-07-01",
                    "properties": {
                      "publisher": "[variables('vmExtensionPublisher')]",
                      "type": "[variables('vmExtensionType')]",
                      "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    }
                  }
                ]
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a4034bc6-ae50-406d-bf76-50f4ee5a7811",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a4034bc6-ae50-406d-bf76-50f4ee5a7811"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a true 2 Configure Azure Monitor Agent to Linux virtual machines and associate to Data Collection Rule (/providers/microsoft.authorization/policysetdefinitions/118f04da-0375-44d1-84e3-0fd9e1849403), [Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines (/providers/microsoft.authorization/policysetdefinitions/a15f3269-2e10-458c-87a4-d5989e678a73) 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "Configure Log Analytics agent on Azure Arc enabled Linux servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Specify the Log Analytics workspace the agent should be connected to. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.HybridCompute/machines"
          },
          {
            "field": "Microsoft.HybridCompute/machines/osName",
            "equals": "linux"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.HybridCompute/machines/extensions",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.HybridCompute/machines/extensions/type",
                "equals": "OmsAgentForLinux"
              },
              {
                "field": "Microsoft.HybridCompute/machines/extensions/publisher",
                "equals": "Microsoft.EnterpriseCloud.Monitoring"
              },
              {
                "field": "Microsoft.HybridCompute/machines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vmExtensionName": "OMSAgentForLinux",
                  "vmExtensionPublisher": "Microsoft.EnterpriseCloud.Monitoring",
                  "vmExtensionType": "OmsAgentForLinux"
                },
                "resources": [
                  {
                    "name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
                    "type": "Microsoft.HybridCompute/machines/extensions",
                    "location": "[parameters('location')]",
                    "apiVersion": "2019-12-12",
                    "properties": {
                      "publisher": "[variables('vmExtensionPublisher')]",
                      "type": "[variables('vmExtensionType')]",
                      "settings": {
                        "workspaceId": "[reference(parameters('logAnalytics'), '2015-03-20').customerId]",
                        "stopOnMultipleConnections": "true"
                      },
                      "protectedSettings": {
                        "workspaceKey": "[listKeys(parameters('logAnalytics'), '2015-03-20').primarySharedKey]"
                      }
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled extension for VM', ': ', parameters('vmName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9d2b61b4-1d14-4a63-be30-d4498e7ad2cf"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists true 1 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Deploy-Linux-Arc-Monitoring) true 1 Enable Azure Monitor for VMs (/providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a) 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Configure Log Analytics agent on Azure Arc enabled Windows servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Specify the Log Analytics workspace the agent should be connected to. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.HybridCompute/machines"
          },
          {
            "field": "Microsoft.HybridCompute/machines/osName",
            "equals": "windows"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.HybridCompute/machines/extensions",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.HybridCompute/machines/extensions/type",
                "equals": "MicrosoftMonitoringAgent"
              },
              {
                "field": "Microsoft.HybridCompute/machines/extensions/publisher",
                "equals": "Microsoft.EnterpriseCloud.Monitoring"
              },
              {
                "field": "Microsoft.HybridCompute/machines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vmExtensionName": "MicrosoftMonitoringAgent",
                  "vmExtensionPublisher": "Microsoft.EnterpriseCloud.Monitoring",
                  "vmExtensionType": "MicrosoftMonitoringAgent"
                },
                "resources": [
                  {
                    "name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
                    "type": "Microsoft.HybridCompute/machines/extensions",
                    "location": "[parameters('location')]",
                    "apiVersion": "2019-12-12",
                    "properties": {
                      "publisher": "[variables('vmExtensionPublisher')]",
                      "type": "[variables('vmExtensionType')]",
                      "settings": {
                        "workspaceId": "[reference(parameters('logAnalytics'), '2015-03-20').customerId]",
                        "stopOnMultipleConnections": "true"
                      },
                      "protectedSettings": {
                        "workspaceKey": "[listKeys(parameters('logAnalytics'), '2015-03-20').primarySharedKey]"
                      }
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled extension for VM', ': ', parameters('vmName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "69af7d4a-7b18-4044-93a9-2651498ef203"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists true 1 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Deploy-Windows-Arc-Monitoring) true 1 Enable Azure Monitor for VMs (/providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a) 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Configure Log Analytics workspace and automation account to centralize logs and monitoring",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "rgName": {
        "type": "String",
        "metadata": {
          "displayName": "rgName",
          "description": "Provide name for resource group"
        },
        "defaultValue": "CentralRG"
      },
      "workspaceName": {
        "type": "String",
        "metadata": {
          "displayName": "workspaceName",
          "description": "Provide name for log analytics workspace"
        },
        "defaultValue": "CentralWorkspace"
      },
      "workspaceRegion": {
        "type": "String",
        "metadata": {
          "displayName": "workspaceRegion",
          "description": "Enter Azure region for Log Analytics workspace",
          "strongType": "location"
        }
      },
      "sku": {
        "type": "String",
        "metadata": {
          "displayName": "sku",
          "description": "Select pricing tier. Legacy tiers (Free, Standalone, PerNode, Standard or Premium) are not available to all customers"
        },
        "allowedValues": [
          "pergb2018",
          "Free",
          "Standalone",
          "PerNode",
          "Standard",
          "Premium"
        ],
        "defaultValue": "pergb2018"
      },
      "dataRetention": {
        "type": "String",
        "metadata": {
          "displayName": "dataRetention",
          "description": "Enter the retention period in workspace, can be between 7 to 730 days. Billing is per 30 days at the minimum even when retention is shorter"
        },
        "defaultValue": "30"
      },
      "automationAccountName": {
        "type": "String",
        "metadata": {
          "displayName": "automationAccountName",
          "description": "Provide name for automation account"
        },
        "defaultValue": "CentralAutomationAccount"
      },
      "automationRegion": {
        "type": "String",
        "metadata": {
          "displayName": "automationRegion",
          "description": "Select Azure region for automation account",
          "strongType": "location"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Select DeployIfNotExists to deploy central Log Analytics workspace, Audit or Disable to disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.OperationalInsights/workspaces",
          "name": "[parameters('workspaceName')]",
          "ResourceGroupName": "[parameters('rgName')]",
          "existenceScope": "resourcegroup",
          "deploymentScope": "Subscription",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "location": "West Central US",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "rgName": {
                  "value": "[parameters('rgName')]"
                },
                "workspaceName": {
                  "value": "[parameters('workspaceName')]"
                },
                "workspaceRegion": {
                  "value": "[parameters('workspaceRegion')]"
                },
                "dataRetention": {
                  "value": "[parameters('dataRetention')]"
                },
                "sku": {
                  "value": "[parameters('sku')]"
                },
                "automationAccountName": {
                  "value": "[parameters('automationAccountName')]"
                },
                "automationRegion": {
                  "value": "[parameters('automationRegion')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "rgName": {
                    "type": "String"
                  },
                  "workspaceName": {
                    "type": "String"
                  },
                  "workspaceRegion": {
                    "type": "String"
                  },
                  "dataRetention": {
                    "type": "String"
                  },
                  "sku": {
                    "type": "String"
                  },
                  "automationAccountName": {
                    "type": "String"
                  },
                  "automationRegion": {
                    "type": "String"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2020-06-01",
                    "name": "[parameters('rgName')]",
                    "location": "[parameters('workspaceRegion')]",
                    "properties": {}
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2021-04-01",
                    "name": "log-analytics",
                    "resourceGroup": "[parameters('rgName')]",
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "apiversion": "2015-10-31",
                            "location": "[parameters('AutomationRegion')]",
                            "name": "[parameters('AutomationAccountName')]",
                            "type": "Microsoft.Automation/automationAccounts",
                            "comments": "Automation account for Log Analytics workapce",
                            "properties": {
                              "sku": {
                                "name": "OMS"
                              }
                            }
                          },
                          {
                            "apiVersion": "2020-08-01",
                            "location": "[parameters('workspaceRegion')]",
                            "name": "[parameters('workspaceName')]",
                            "type": "Microsoft.OperationalInsights/workspaces",
                            "properties": {
                              "sku": {
                                "name": "[parameters('sku')]"
                              },
                              "retentionInDays": "[parameters('dataRetention')]",
                              "enableLogAccessUsingOnlyResourcePermissions": true
                            },
                            "resources": [
                              {
                                "name": "Automation",
                                "type": "linkedServices",
                                "apiVersion": "2020-08-01",
                                "properties": {
                                  "resourceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]"
                                },
                                "dependsOn": [
                                  "[parameters('workspaceName')]",
                                  "[parameters('AutomationAccountName')]"
                                ]
                              }
                            ]
                          }
                        ],
                        "outputs": {}
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8e3e61b3-0b32-22d5-4edf-55f87fdb5955"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Machine Learning computes to disable local authentication methods",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable location authentication methods so that your Machine Learning computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy.",
    "metadata": {
      "version": "1.0.0",
      "category": "Machine Learning"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.MachineLearningServices/workspaces/computes"
          },
          {
            "field": "Microsoft.MachineLearningServices/workspaces/computes/disableLocalAuth",
            "notEquals": true
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "audit",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.MachineLearningServices/workspaces/computes/disableLocalAuth",
              "value": true
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a6f9a2d0-cff7-4855-83ad-4cd750666512"
}
BuiltIn Machine Learning False False n/a n/a Modify false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure managed disks to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc.",
    "metadata": {
      "version": "1.0.0",
      "category": "Compute"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      },
      "location": {
        "type": "String",
        "metadata": {
          "displayName": "Location",
          "strongType": "location",
          "description": "All disks in this region are validated and disk access resource would be associated with them."
        }
      },
      "diskAccessId": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Id for the DiskAccess in the given location to which the disk resource needs to be linked",
          "strongType": "Microsoft.Compute/diskAccesses",
          "description": "Disk access resources enable exporting managed disks securely via private endpoints. Learn more at: https://aka.ms/disksprivatelinksdoc"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/disks"
          },
          {
            "field": "location",
            "equals": "[parameters('location')]"
          },
          {
            "field": "Microsoft.Compute/disks/networkAccessPolicy",
            "notIn": [
              "AllowPrivate",
              "DenyAll"
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "conflictEffect": "audit",
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.Compute/disks/diskAccessId",
              "value": "[parameters('diskAccessId')]"
            },
            {
              "operation": "addOrReplace",
              "field": "Microsoft.Compute/disks/networkAccessPolicy",
              "value": "AllowPrivate"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8426280e-b5be-43d9-979e-653d12a08638",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8426280e-b5be-43d9-979e-653d12a08638"
}
BuiltIn Compute False False n/a n/a Modify false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure network security groups to enable traffic analytics",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "nsgRegion": {
        "type": "String",
        "metadata": {
          "displayName": "Network security group Region",
          "description": "Configures for network security groups in the selected region only.",
          "strongType": "location"
        }
      },
      "storageId": {
        "type": "String",
        "metadata": {
          "displayName": "Storage Resource ID",
          "description": "Resource ID of the storage account where the flow logs are written. Make sure this storage account is located in the selected network security group Region. The format must be: '/subscriptions/{subscription id}/resourceGroups/{resourceGroup name}/providers/Microsoft.Storage/storageAccounts/{storage account name}",
          "assignPermissions": "true"
        }
      },
      "timeInterval": {
        "type": "String",
        "metadata": {
          "displayName": "Traffic analytics processing interval in minutes",
          "description": "Traffic analytics processes blobs at the selected frequency."
        },
        "allowedValues": [
          "10",
          "60"
        ],
        "defaultValue": "60"
      },
      "workspaceResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Workspace resource ID",
          "description": "Log Analytics workspace resource id",
          "assignPermissions": "true"
        }
      },
      "workspaceRegion": {
        "type": "String",
        "metadata": {
          "displayName": "Workspace region",
          "description": "Log Analytics workspace region",
          "strongType": "location"
        }
      },
      "workspaceId": {
        "type": "String",
        "metadata": {
          "displayName": "Workspace ID",
          "description": "Log Analytics workspace GUID"
        }
      },
      "networkWatcherRG": {
        "type": "String",
        "metadata": {
          "displayName": "Network Watcher resource group",
          "description": "The Network Watcher regional instance is present in this resource group. The network security group flow logs resources are also created. This will be used only if a deployment is required. By default, it is named 'NetworkWatcherRG'.",
          "strongType": "existingResourceGroups"
        }
      },
      "networkWatcherName": {
        "type": "String",
        "metadata": {
          "displayName": "Network Watcher name",
          "description": "The name of the network watcher under which the flow log resources are created. Make sure it belongs to the same region as the network security group."
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkSecurityGroups"
          },
          {
            "field": "location",
            "equals": "[parameters('nsgRegion')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/networkWatchers/flowlogs",
          "resourceGroupName": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), parameters('networkWatcherRG'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]",
          "name": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]",
          "existenceCondition": {
            "anyof": [
              {
                "field": "Microsoft.Network/networkWatchers/flowLogs/enabled",
                "equals": "false"
              },
              {
                "allof": [
                  {
                    "field": "Microsoft.Network/networkWatchers/flowLogs/enabled",
                    "equals": "true"
                  },
                  {
                    "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled",
                    "equals": "true"
                  },
                  {
                    "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.trafficAnalyticsInterval",
                    "in": [
                      "10",
                      "60"
                    ]
                  }
                ]
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "storageId": {
                    "type": "String"
                  },
                  "timeInterval": {
                    "type": "String"
                  },
                  "workspaceId": {
                    "type": "String"
                  },
                  "workspaceRegion": {
                    "type": "String"
                  },
                  "workspaceResourceId": {
                    "type": "String"
                  },
                  "networkWatcherRG": {
                    "type": "String"
                  },
                  "networkWatcherName": {
                    "type": "String"
                  },
                  "flowlogName": {
                    "type": "String"
                  },
                  "location": {
                    "type": "String"
                  },
                  "targetResource": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[concat('flowlogDeployment-', uniqueString(parameters('flowlogName')))]",
                    "apiVersion": "2019-10-01",
                    "resourceGroup": "[parameters('networkWatcherRG')]",
                    "properties": {
                      "mode": "incremental",
                      "parameters": {},
                      "template": {
                        "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "resources": [
                          {
                            "type": "Microsoft.Network/networkWatchers/flowLogs",
                            "name": "[concat(parameters('networkWatcherName'), '/', parameters('flowlogName'))]",
                            "apiVersion": "2019-11-01",
                            "location": "[parameters('location')]",
                            "properties": {
                              "targetResourceId": "[parameters('targetResource')]",
                              "storageId": "[parameters('storageId')]",
                              "enabled": "true",
                              "flowAnalyticsConfiguration": {
                                "networkWatcherFlowAnalyticsConfiguration": {
                                  "enabled": true,
                                  "workspaceId": "[parameters('workspaceId')]",
                                  "workspaceRegion": "[parameters('workspaceRegion')]",
                                  "workspaceResourceId": "[parameters('workspaceResourceId')]",
                                  "trafficAnalyticsInterval": "[parameters('timeInterval')]"
                                }
                              },
                              "retentionPolicy": {
                                "days": "0",
                                "enabled": "false"
                              },
                              "format": {
                                "type": "JSON",
                                "version": 2
                              }
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "storageId": {
                  "value": "[parameters('storageId')]"
                },
                "timeInterval": {
                  "value": "[parameters('timeInterval')]"
                },
                "workspaceId": {
                  "value": "[parameters('workspaceId')]"
                },
                "workspaceRegion": {
                  "value": "[parameters('workspaceRegion')]"
                },
                "workspaceResourceId": {
                  "value": "[parameters('workspaceResourceId')]"
                },
                "networkWatcherRG": {
                  "value": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), parameters('networkWatcherRG'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]"
                },
                "networkWatcherName": {
                  "value": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), parameters('networkWatcherName'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8])]"
                },
                "flowlogName": {
                  "value": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), concat(field('name'), '-', resourceGroup().name, '-', 'flowlog'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10])]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "targetResource": {
                  "value": "[concat(resourceGroup().id, '/providers/Microsoft.Network/networkSecurityGroups/', field('name'))]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e920df7f-9a64-4066-9b58-52684c02a091",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e920df7f-9a64-4066-9b58-52684c02a091"
}
BuiltIn Network False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure network security groups to use specific workspace for traffic analytics",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "nsgRegion": {
        "type": "String",
        "metadata": {
          "displayName": "Network security group Region",
          "description": "Configures for network security groups in the selected region only.",
          "strongType": "location"
        }
      },
      "storageId": {
        "type": "String",
        "metadata": {
          "displayName": "Storage Resource ID",
          "description": "Resource ID of the storage account where the flow logs are written. Make sure this storage account is located in the selected network security group region. The format must be: '/subscriptions/{subscription id}/resourceGroups/{resourceGroup name}/providers/Microsoft.Storage/storageAccounts/{storage account name}",
          "assignPermissions": "true"
        }
      },
      "timeInterval": {
        "type": "String",
        "metadata": {
          "displayName": "Traffic analytics processing interval in minutes",
          "description": "Traffic analytics processes blobs at the selected frequency."
        },
        "allowedValues": [
          "10",
          "60"
        ],
        "defaultValue": "60"
      },
      "workspaceResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Workspace resource ID",
          "description": "Log Analytics workspace resource id",
          "assignPermissions": "true"
        }
      },
      "workspaceRegion": {
        "type": "String",
        "metadata": {
          "displayName": "Workspace region",
          "description": "Log Analytics workspace region",
          "strongType": "location"
        }
      },
      "workspaceId": {
        "type": "String",
        "metadata": {
          "displayName": "Workspace ID",
          "description": "Log Analytics workspace GUID"
        }
      },
      "networkWatcherRG": {
        "type": "String",
        "metadata": {
          "displayName": "Network Watcher resource group",
          "description": "The Network Watcher regional instance is present in this resource group. The network security group flow logs resources are also created. This is used only if a deployment is required. By default, it is named 'NetworkWatcherRG'.",
          "strongType": "existingResourceGroups"
        }
      },
      "networkWatcherName": {
        "type": "String",
        "metadata": {
          "displayName": "Network Watcher name",
          "description": "The name of the network watcher under which the flow log resources are created. Make sure it belongs to the same region as the network security group."
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkSecurityGroups"
          },
          {
            "field": "location",
            "equals": "[parameters('nsgRegion')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/networkWatchers/flowlogs",
          "resourceGroupName": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), parameters('networkWatcherRG'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]",
          "name": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]",
          "existenceCondition": {
            "anyof": [
              {
                "field": "Microsoft.Network/networkWatchers/flowLogs/enabled",
                "equals": "false"
              },
              {
                "allof": [
                  {
                    "field": "Microsoft.Network/networkWatchers/flowLogs/enabled",
                    "equals": "true"
                  },
                  {
                    "field": "Microsoft.Network/networkWatchers/flowLogs/storageId",
                    "equals": "[parameters('storageId')]"
                  },
                  {
                    "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled",
                    "equals": "true"
                  },
                  {
                    "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.trafficAnalyticsInterval",
                    "in": [
                      "10",
                      "60"
                    ]
                  },
                  {
                    "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.workspaceId",
                    "equals": "[parameters('workspaceId')]"
                  }
                ]
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "storageId": {
                    "type": "String"
                  },
                  "timeInterval": {
                    "type": "String"
                  },
                  "workspaceId": {
                    "type": "String"
                  },
                  "workspaceRegion": {
                    "type": "String"
                  },
                  "workspaceResourceId": {
                    "type": "String"
                  },
                  "networkWatcherRG": {
                    "type": "String"
                  },
                  "networkWatcherName": {
                    "type": "String"
                  },
                  "flowlogName": {
                    "type": "String"
                  },
                  "location": {
                    "type": "String"
                  },
                  "targetResource": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[concat('flowlogDeployment-', uniqueString(parameters('flowlogName')))]",
                    "apiVersion": "2019-10-01",
                    "resourceGroup": "[parameters('networkWatcherRG')]",
                    "properties": {
                      "mode": "incremental",
                      "parameters": {},
                      "template": {
                        "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "resources": [
                          {
                            "type": "Microsoft.Network/networkWatchers/flowLogs",
                            "name": "[concat(parameters('networkWatcherName'), '/', parameters('flowlogName'))]",
                            "apiVersion": "2019-11-01",
                            "location": "[parameters('location')]",
                            "properties": {
                              "targetResourceId": "[parameters('targetResource')]",
                              "storageId": "[parameters('storageId')]",
                              "enabled": "true",
                              "flowAnalyticsConfiguration": {
                                "networkWatcherFlowAnalyticsConfiguration": {
                                  "enabled": true,
                                  "workspaceId": "[parameters('workspaceId')]",
                                  "workspaceRegion": "[parameters('workspaceRegion')]",
                                  "workspaceResourceId": "[parameters('workspaceResourceId')]",
                                  "trafficAnalyticsInterval": "[parameters('timeInterval')]"
                                }
                              },
                              "retentionPolicy": {
                                "days": "0",
                                "enabled": "false"
                              },
                              "format": {
                                "type": "JSON",
                                "version": 2
                              }
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "storageId": {
                  "value": "[parameters('storageId')]"
                },
                "timeInterval": {
                  "value": "[parameters('timeInterval')]"
                },
                "workspaceId": {
                  "value": "[parameters('workspaceId')]"
                },
                "workspaceRegion": {
                  "value": "[parameters('workspaceRegion')]"
                },
                "workspaceResourceId": {
                  "value": "[parameters('workspaceResourceId')]"
                },
                "networkWatcherRG": {
                  "value": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), parameters('networkWatcherRG'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]"
                },
                "networkWatcherName": {
                  "value": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), parameters('networkWatcherName'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8])]"
                },
                "flowlogName": {
                  "value": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), concat(field('name'), '-', resourceGroup().name, '-', 'flowlog'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10])]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "targetResource": {
                  "value": "[concat(resourceGroup().id, '/providers/Microsoft.Network/networkSecurityGroups/', field('name'))]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5e1cd26a-5090-4fdb-9d6a-84a90335e22d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5e1cd26a-5090-4fdb-9d6a-84a90335e22d"
}
BuiltIn Network False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure private DNS zones for private endpoints connected to App Configuration",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://aka.ms/appconfig/private-endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Configuration"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS zone",
          "description": "Specifies the private DNS zone to use to configure private endpoint",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "configurationStores"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "privatelink-azconfig-io",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7a860e27-9ca2-4fc6-822d-c2d248c300df"
}
BuiltIn App Configuration False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure private DNS zones for private endpoints that connect to Azure Data Factory",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link.",
    "metadata": {
      "version": "1.0.0",
      "category": "Data Factory"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone",
          "strongType": "Microsoft.Network/privateDnsZones",
          "description": "The private DNS zone to deploy in a new private DNS zone group and link to the private endpoint"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "listOfGroupIds": {
        "type": "Array",
        "metadata": {
          "description": "The list of Group Ids that can be specified for Private Endpoints.",
          "displayName": "Allowed Group Ids"
        },
        "allowedValues": [
          "dataFactory",
          "portal"
        ],
        "defaultValue": [
          "dataFactory",
          "portal"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "in": "[parameters('listOfGroupIds')]"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "dataFactory-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "86cd96e1-1745-420d-94d4-d3f2fe415aa4"
}
BuiltIn Data Factory False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure private endpoint connections on Azure Automation accounts",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoint connections allow secure communication by enabling private connectivity to Azure Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security.",
    "metadata": {
      "version": "1.0.0",
      "category": "Automation"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "A subnet with private endpoint network policies disabled",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Automation/automationAccounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Automation/automationAccounts/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Automation/automationAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[concat(variables('privateEndpointName'),'Webhook')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[concat(variables('privateEndpointName'),'Webhook')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "Webhook"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          },
                          {
                            "name": "[concat(variables('privateEndpointName'),'DSCAndHybridWorker')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[concat(variables('privateEndpointName'),'DSCAndHybridWorker')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "DSCAndHybridWorker"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c0c3130e-7dda-4187-aed0-ee4a472eaa60",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c0c3130e-7dda-4187-aed0-ee4a472eaa60"
}
BuiltIn Automation False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure private endpoints for App Configuration",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your app configuration instances, data leakage risks are reduced. Learn more at: https://aka.ms/appconfig/private-endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Configuration"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.AppConfiguration/configurationStores"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.AppConfiguration/configurationStores/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "configurationStores"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/614ffa75-862c-456e-ad8b-eaa1b0844b07",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "614ffa75-862c-456e-ad8b-eaa1b0844b07"
}
BuiltIn App Configuration False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure private endpoints for Data factories",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination.  By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks.  Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link.",
    "metadata": {
      "version": "1.0.0",
      "category": "Data Factory"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet ID",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "groupId": {
        "type": "String",
        "metadata": {
          "description": "The group Id that can be specified for Private Endpoints.",
          "displayName": "Allowed group Id"
        },
        "allowedValues": [
          "dataFactory",
          "portal"
        ],
        "defaultValue": "dataFactory"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DataFactory/factories"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DataFactory/factories/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.DataFactory/factories/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                },
                "groupId": {
                  "value": "[parameters('groupId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  },
                  "groupId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          },
                          "groupId": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupId": [
                                      "[parameters('groupId')]"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        },
                        "groupId": {
                          "value": "[parameters('groupId')]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/496ca26b-f669-4322-a1ad-06b7b5e41882",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "496ca26b-f669-4322-a1ad-06b7b5e41882"
}
BuiltIn Data Factory False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Data Factory Contributor' (673868aa-7521-48a0-acc6-0f60742d39f5)
{
  "properties": {
    "displayName": "Configure private endpoints to Azure SignalR Service",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure SignalR Service resources, you can reduce data leakage risks. Learn more at https://aka.ms/asrs/privatelink.",
    "metadata": {
      "version": "1.0.0",
      "category": "SignalR"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private Endpoint Subnet ID",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.SignalRService/SignalR"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.SignalRService/SignalR/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.SignalRService/SignalR/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "signalr"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ef45854f-b33f-49a3-8041-9057e915d88f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ef45854f-b33f-49a3-8041-9057e915d88f"
}
BuiltIn SignalR False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'SignalR Contributor' (8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761)
{
  "properties": {
    "displayName": "Configure Service Bus namespaces to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Service Bus namespaces. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service.",
    "metadata": {
      "version": "1.0.0",
      "category": "Service Bus"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone ID",
          "description": "Specifies the private DNS zone to use to configure private endpoint",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "namespace"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "namespace-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f0fcf93c-c063-4071-9668-c47474bd3564"
}
BuiltIn Service Bus False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Configure Service Bus namespaces with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Service Bus namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service.",
    "metadata": {
      "version": "1.0.0",
      "category": "Service Bus"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "Specifies the subnet to use to configure private endpoint",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ServiceBus/namespaces"
          },
          {
            "field": "Microsoft.ServiceBus/namespaces/sku.tier",
            "equals": "Premium"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.ServiceBus/namespaces/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.ServiceBus/namespaces/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "namespace"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7d890f7f-100c-473d-baa1-2777e2266535",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7d890f7f-100c-473d-baa1-2777e2266535"
}
BuiltIn Service Bus False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'Azure Service Bus Data Owner' (090c5cfd-751d-490a-894a-3ce6f1109419)
{
  "properties": {
    "displayName": "Configure SQL installed Azure Arc machines to have Arc enabled SQL Server extension enabled.",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": " To ensure SQL Server - Azure Arc resources gets created by default when SQL instance found on Azure Arc enabled windows server, Arc machine should have SQL Server extension enabled. For more information- please visit- https://docs.microsoft.com/en-us/sql/sql-server/azure-arc/overview?view=sql-server-ver15",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.HybridCompute/machines"
          },
          {
            "field": "Microsoft.HybridCompute/imageOffer",
            "like": "windows*"
          },
          {
            "field": "Microsoft.HybridCompute/machines/mssqlDiscovered",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.HybridCompute/machines/extensions",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.HybridCompute/machines/extensions/type",
                "equals": "WindowsAgent.SqlServer"
              },
              {
                "field": "Microsoft.HybridCompute/machines/extensions/publisher",
                "equals": "Microsoft.AzureData"
              },
              {
                "field": "Microsoft.HybridCompute/machines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vmExtensionName": "WindowsAgent.SqlServer",
                  "vmExtensionPublisher": "Microsoft.AzureData",
                  "vmExtensionType": "WindowsAgent.SqlServer"
                },
                "resources": [
                  {
                    "name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
                    "type": "Microsoft.HybridCompute/machines/extensions",
                    "location": "[parameters('location')]",
                    "apiVersion": "2019-12-12",
                    "properties": {
                      "publisher": "[variables('vmExtensionPublisher')]",
                      "type": "[variables('vmExtensionType')]",
                      "settings": {
                        "SqlManagement": {
                          "IsEnabled": true
                        },
                        "ExcludedInstances": []
                      }
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled extension for VM', ': ', parameters('vmName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/fd2d1a6e-6d95-4df2-ad00-504bf0273406",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "fd2d1a6e-6d95-4df2-ad00-504bf0273406"
}
BuiltIn SQL False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Configure SQL servers to have auditing enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards.",
    "metadata": {
      "version": "2.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "retentionDays": {
        "type": "String",
        "metadata": {
          "description": "The value in days of the retention period (0 indicates unlimited retention)",
          "displayName": "Retention days (optional, 180 days if unspecified)"
        },
        "defaultValue": "180"
      },
      "storageAccountsResourceGroup": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group name for storage accounts",
          "description": "Auditing writes database events to an audit log in your Azure Storage account (a storage account will be created in each region where a SQL Server is created that will be shared by all servers in that region). Important - for proper operation of Auditing do not delete or rename the resource group or the storage accounts.",
          "strongType": "existingResourceGroups"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/auditingSettings",
          "name": "Default",
          "existenceCondition": {
            "field": "Microsoft.Sql/auditingSettings.state",
            "equals": "Enabled"
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
            "/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "serverName": {
                    "type": "string"
                  },
                  "auditRetentionDays": {
                    "type": "string"
                  },
                  "storageAccountsResourceGroup": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "retentionDays": "[int(parameters('auditRetentionDays'))]",
                  "subscriptionId": "[subscription().subscriptionId]",
                  "uniqueStorage": "[uniqueString(variables('subscriptionId'), parameters('location'), parameters('storageAccountsResourceGroup'))]",
                  "locationCode": "[substring(parameters('location'), 0, 3)]",
                  "storageName": "[tolower(concat('sqlaudit', variables('locationCode'), variables('uniqueStorage')))]",
                  "createStorageAccountDeploymentName": "[concat('sqlServerAuditingStorageAccount-', uniqueString(variables('locationCode'), parameters('serverName')))]"
                },
                "resources": [
                  {
                    "apiVersion": "2017-05-10",
                    "name": "[variables('createStorageAccountDeploymentName')]",
                    "type": "Microsoft.Resources/deployments",
                    "resourceGroup": "[parameters('storageAccountsResourceGroup')]",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "parameters": {
                        "location": {
                          "value": "[parameters('location')]"
                        },
                        "storageName": {
                          "value": "[variables('storageName')]"
                        }
                      },
                      "template": {
                        "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "location": {
                            "type": "string"
                          },
                          "storageName": {
                            "type": "string"
                          }
                        },
                        "resources": [
                          {
                            "type": "Microsoft.Storage/storageAccounts",
                            "apiVersion": "2021-04-01",
                            "name": "[parameters('storageName')]",
                            "location": "[parameters('location')]",
                            "sku": {
                              "name": "Standard_LRS"
                            },
                            "kind": "BlobStorage",
                            "tags": {
                              "createdBy": "Azure Policy - Configure SQL servers to have auditing enabled"
                            },
                            "properties": {
                              "accessTier": "Hot",
                              "supportsHttpsTrafficOnly": true,
                              "allowBlobPublicAccess": false
                            }
                          }
                        ],
                        "outputs": {
                          "storageAccountEndPoint": {
                            "type": "string",
                            "value": "[reference(parameters('storageName')).primaryEndpoints.blob]"
                          }
                        }
                      }
                    }
                  },
                  {
                    "name": "[concat(parameters('serverName'), '/Default')]",
                    "type": "Microsoft.Sql/servers/auditingSettings",
                    "apiVersion": "2017-03-01-preview",
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/deployments/', variables('createStorageAccountDeploymentName'))]"
                    ],
                    "properties": {
                      "state": "Enabled",
                      "storageEndpoint": "[reference(variables('createStorageAccountDeploymentName')).outputs.storageAccountEndPoint.value]",
                      "storageAccountAccessKey": "[listKeys(resourceId(parameters('storageAccountsResourceGroup'), 'Microsoft.Storage/storageAccounts', variables('storageName')), '2017-06-01').keys[0].value]",
                      "retentionDays": "[variables('retentionDays')]",
                      "storageAccountSubscriptionId": "[subscription().subscriptionId]",
                      "isStorageSecondaryKeyInUse": false
                    }
                  }
                ]
              },
              "parameters": {
                "serverName": {
                  "value": "[field('name')]"
                },
                "auditRetentionDays": {
                  "value": "[parameters('retentionDays')]"
                },
                "storageAccountsResourceGroup": {
                  "value": "[parameters('storageAccountsResourceGroup')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f4c68484-132f-41f9-9b6d-3e4b1cb55036"
}
BuiltIn SQL False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'SQL Security Manager' (056cd41c-7e88-42e1-933e-88ba6a50c9c3), 'Storage Account Contributor' (17d1049b-9a84-46fb-8f53-869881c3d3ab)
{
  "properties": {
    "displayName": "Configure Storage account to use a private link connection",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your storage account, you can reduce data leakage risks. Learn more about private links at - https://aka.ms/azureprivatelinkoverview",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "The subnetId that private endpoint connections should link to",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "targetSubResource": {
        "type": "String",
        "metadata": {
          "displayName": "Target sub-resource",
          "description": "Type of sub-resource for the resource selected above, that your private endpoint will be able to access"
        },
        "allowedValues": [
          "blob",
          "blob_secondary",
          "table",
          "table_secondary",
          "queue",
          "queue_secondary",
          "file",
          "web",
          "web_secondary",
          "dfs",
          "dfs_secondary"
        ],
        "defaultValue": "blob"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "kind",
            "in": [
              "StorageV2",
              "BlobStorage",
              "BlockBlobStorage",
              "FileStorage"
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Storage/storageAccounts/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Storage/storageAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                },
                "targetSubResource": {
                  "value": "[parameters('targetSubResource')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  },
                  "targetSubResource": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "targetSubResource": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": "[array(parameters('targetSubResource'))]",
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "targetSubResource": {
                          "value": "[parameters('targetSubResource')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9f766f00-8d11-464e-80e1-4091d7874074",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9f766f00-8d11-464e-80e1-4091d7874074"
}
BuiltIn Storage False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'Storage Account Contributor' (17d1049b-9a84-46fb-8f53-869881c3d3ab)
{
  "properties": {
    "displayName": "Configure Synapse workspaces to have auditing enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards.",
    "metadata": {
      "version": "1.1.0",
      "category": "Synapse"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "retentionDays": {
        "type": "Integer",
        "metadata": {
          "description": "The value in days of the retention period (0 indicates unlimited retention)",
          "displayName": "Retention days (optional, 180 days if unspecified)"
        },
        "defaultValue": 180
      },
      "storageAccountsResourceGroup": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group name for storage accounts",
          "description": "Auditing writes database events to an audit log in your Azure Storage account (a storage account will be created in each region where a Synapse workspace is created that will be shared by all Synapse workspaces in that region). Important - for proper operation of Auditing do not delete or rename the resource group or the storage accounts.",
          "strongType": "existingResourceGroups",
          "assignPermissions": true
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Synapse/workspaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Synapse/workspaces/auditingSettings",
          "name": "Default",
          "existenceCondition": {
            "field": "Microsoft.Synapse/workspaces/auditingSettings/state",
            "equals": "Enabled"
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
            "/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "workspaceName": {
                    "type": "string"
                  },
                  "auditRetentionDays": {
                    "type": "int"
                  },
                  "storageAccountsResourceGroup": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "retentionDays": "[parameters('auditRetentionDays')]",
                  "subscriptionId": "[subscription().subscriptionId]",
                  "uniqueStorage": "[uniqueString(variables('subscriptionId'), parameters('location'), parameters('storageAccountsResourceGroup'))]",
                  "locationCode": "[substring(parameters('location'), 0, 3)]",
                  "storageName": "[tolower(concat('workspaceaudit', variables('locationCode'), variables('uniqueStorage')))]",
                  "createStorageAccountDeploymentName": "[concat('workspaceAuditingStorageAccount-', uniqueString(variables('locationCode'), deployment().name))]"
                },
                "resources": [
                  {
                    "apiVersion": "2017-05-10",
                    "name": "[variables('createStorageAccountDeploymentName')]",
                    "type": "Microsoft.Resources/deployments",
                    "resourceGroup": "[parameters('storageAccountsResourceGroup')]",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "parameters": {
                        "location": {
                          "value": "[parameters('location')]"
                        },
                        "storageName": {
                          "value": "[variables('storageName')]"
                        }
                      },
                      "template": {
                        "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "location": {
                            "type": "string"
                          },
                          "storageName": {
                            "type": "string"
                          }
                        },
                        "resources": [
                          {
                            "type": "Microsoft.Storage/storageAccounts",
                            "apiVersion": "2017-10-01",
                            "name": "[parameters('storageName')]",
                            "location": "[parameters('location')]",
                            "sku": {
                              "name": "Standard_LRS"
                            },
                            "kind": "BlobStorage",
                            "tags": {
                              "createdBy": "Azure Policy - Configure Synapse workspaces to have auditing enabled"
                            },
                            "properties": {
                              "accessTier": "Hot",
                              "supportsHttpsTrafficOnly": true
                            }
                          }
                        ],
                        "outputs": {
                          "storageAccountEndPoint": {
                            "type": "string",
                            "value": "[reference(parameters('storageName')).primaryEndpoints.blob]"
                          }
                        }
                      }
                    }
                  },
                  {
                    "name": "[concat(parameters('workspaceName'), '/Default')]",
                    "type": "Microsoft.Synapse/workspaces/auditingSettings",
                    "apiVersion": "2017-03-01-preview",
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/deployments/', variables('createStorageAccountDeploymentName'))]"
                    ],
                    "properties": {
                      "state": "Enabled",
                      "storageEndpoint": "[reference(variables('createStorageAccountDeploymentName')).outputs.storageAccountEndPoint.value]",
                      "storageAccountAccessKey": "[listKeys(resourceId(parameters('storageAccountsResourceGroup'), 'Microsoft.Storage/storageAccounts', variables('storageName')), '2017-06-01').keys[0].value]",
                      "retentionDays": "[variables('retentionDays')]",
                      "storageAccountSubscriptionId": "[subscription().subscriptionId]",
                      "isStorageSecondaryKeyInUse": false
                    }
                  }
                ]
              },
              "parameters": {
                "workspaceName": {
                  "value": "[field('name')]"
                },
                "auditRetentionDays": {
                  "value": "[parameters('retentionDays')]"
                },
                "storageAccountsResourceGroup": {
                  "value": "[parameters('storageAccountsResourceGroup')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ac7891a4-ac7a-4ba0-9ae9-c923e5a225ee",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ac7891a4-ac7a-4ba0-9ae9-c923e5a225ee"
}
BuiltIn Synapse False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'SQL Security Manager' (056cd41c-7e88-42e1-933e-88ba6a50c9c3), 'Storage Account Contributor' (17d1049b-9a84-46fb-8f53-869881c3d3ab)
{
  "properties": {
    "displayName": "Configure time zone on Windows machines.",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines.",
    "metadata": {
      "version": "1.1.0",
      "category": "Guest Configuration",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ]
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "TimeZone": {
        "type": "String",
        "metadata": {
          "displayName": "Time zone",
          "description": "The expected time zone"
        },
        "allowedValues": [
          "(UTC-12:00) International Date Line West",
          "(UTC-11:00) Coordinated Universal Time-11",
          "(UTC-10:00) Aleutian Islands",
          "(UTC-10:00) Hawaii",
          "(UTC-09:30) Marquesas Islands",
          "(UTC-09:00) Alaska",
          "(UTC-09:00) Coordinated Universal Time-09",
          "(UTC-08:00) Baja California",
          "(UTC-08:00) Coordinated Universal Time-08",
          "(UTC-08:00) Pacific Time (US & Canada)",
          "(UTC-07:00) Arizona",
          "(UTC-07:00) Chihuahua, La Paz, Mazatlan",
          "(UTC-07:00) Mountain Time (US & Canada)",
          "(UTC-06:00) Central America",
          "(UTC-06:00) Central Time (US & Canada)",
          "(UTC-06:00) Easter Island",
          "(UTC-06:00) Guadalajara, Mexico City, Monterrey",
          "(UTC-06:00) Saskatchewan",
          "(UTC-05:00) Bogota, Lima, Quito, Rio Branco",
          "(UTC-05:00) Chetumal",
          "(UTC-05:00) Eastern Time (US & Canada)",
          "(UTC-05:00) Haiti",
          "(UTC-05:00) Havana",
          "(UTC-05:00) Indiana (East)",
          "(UTC-05:00) Turks and Caicos",
          "(UTC-04:00) Asuncion",
          "(UTC-04:00) Atlantic Time (Canada)",
          "(UTC-04:00) Caracas",
          "(UTC-04:00) Cuiaba",
          "(UTC-04:00) Georgetown, La Paz, Manaus, San Juan",
          "(UTC-04:00) Santiago",
          "(UTC-03:30) Newfoundland",
          "(UTC-03:00) Araguaina",
          "(UTC-03:00) Brasilia",
          "(UTC-03:00) Cayenne, Fortaleza",
          "(UTC-03:00) City of Buenos Aires",
          "(UTC-03:00) Greenland",
          "(UTC-03:00) Montevideo",
          "(UTC-03:00) Punta Arenas",
          "(UTC-03:00) Saint Pierre and Miquelon",
          "(UTC-03:00) Salvador",
          "(UTC-02:00) Coordinated Universal Time-02",
          "(UTC-02:00) Mid-Atlantic - Old",
          "(UTC-01:00) Azores",
          "(UTC-01:00) Cabo Verde Is.",
          "(UTC) Coordinated Universal Time",
          "(UTC+00:00) Dublin, Edinburgh, Lisbon, London",
          "(UTC+00:00) Monrovia, Reykjavik",
          "(UTC+00:00) Sao Tome",
          "(UTC+01:00) Casablanca",
          "(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna",
          "(UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague",
          "(UTC+01:00) Brussels, Copenhagen, Madrid, Paris",
          "(UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb",
          "(UTC+01:00) West Central Africa",
          "(UTC+02:00) Amman",
          "(UTC+02:00) Athens, Bucharest",
          "(UTC+02:00) Beirut",
          "(UTC+02:00) Cairo",
          "(UTC+02:00) Chisinau",
          "(UTC+02:00) Damascus",
          "(UTC+02:00) Gaza, Hebron",
          "(UTC+02:00) Harare, Pretoria",
          "(UTC+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius",
          "(UTC+02:00) Jerusalem",
          "(UTC+02:00) Kaliningrad",
          "(UTC+02:00) Khartoum",
          "(UTC+02:00) Tripoli",
          "(UTC+02:00) Windhoek",
          "(UTC+03:00) Baghdad",
          "(UTC+03:00) Istanbul",
          "(UTC+03:00) Kuwait, Riyadh",
          "(UTC+03:00) Minsk",
          "(UTC+03:00) Moscow, St. Petersburg",
          "(UTC+03:00) Nairobi",
          "(UTC+03:30) Tehran",
          "(UTC+04:00) Abu Dhabi, Muscat",
          "(UTC+04:00) Astrakhan, Ulyanovsk",
          "(UTC+04:00) Baku",
          "(UTC+04:00) Izhevsk, Samara",
          "(UTC+04:00) Port Louis",
          "(UTC+04:00) Saratov",
          "(UTC+04:00) Tbilisi",
          "(UTC+04:00) Volgograd",
          "(UTC+04:00) Yerevan",
          "(UTC+04:30) Kabul",
          "(UTC+05:00) Ashgabat, Tashkent",
          "(UTC+05:00) Ekaterinburg",
          "(UTC+05:00) Islamabad, Karachi",
          "(UTC+05:00) Qyzylorda",
          "(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi",
          "(UTC+05:30) Sri Jayawardenepura",
          "(UTC+05:45) Kathmandu",
          "(UTC+06:00) Astana",
          "(UTC+06:00) Dhaka",
          "(UTC+06:00) Omsk",
          "(UTC+06:30) Yangon (Rangoon)",
          "(UTC+07:00) Bangkok, Hanoi, Jakarta",
          "(UTC+07:00) Barnaul, Gorno-Altaysk",
          "(UTC+07:00) Hovd",
          "(UTC+07:00) Krasnoyarsk",
          "(UTC+07:00) Novosibirsk",
          "(UTC+07:00) Tomsk",
          "(UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi",
          "(UTC+08:00) Irkutsk",
          "(UTC+08:00) Kuala Lumpur, Singapore",
          "(UTC+08:00) Perth",
          "(UTC+08:00) Taipei",
          "(UTC+08:00) Ulaanbaatar",
          "(UTC+08:45) Eucla",
          "(UTC+09:00) Chita",
          "(UTC+09:00) Osaka, Sapporo, Tokyo",
          "(UTC+09:00) Pyongyang",
          "(UTC+09:00) Seoul",
          "(UTC+09:00) Yakutsk",
          "(UTC+09:30) Adelaide",
          "(UTC+09:30) Darwin",
          "(UTC+10:00) Brisbane",
          "(UTC+10:00) Canberra, Melbourne, Sydney",
          "(UTC+10:00) Guam, Port Moresby",
          "(UTC+10:00) Hobart",
          "(UTC+10:00) Vladivostok",
          "(UTC+10:30) Lord Howe Island",
          "(UTC+11:00) Bougainville Island",
          "(UTC+11:00) Chokurdakh",
          "(UTC+11:00) Magadan",
          "(UTC+11:00) Norfolk Island",
          "(UTC+11:00) Sakhalin",
          "(UTC+11:00) Solomon Is., New Caledonia",
          "(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky",
          "(UTC+12:00) Auckland, Wellington",
          "(UTC+12:00) Coordinated Universal Time+12",
          "(UTC+12:00) Fiji",
          "(UTC+12:00) Petropavlovsk-Kamchatsky - Old",
          "(UTC+12:45) Chatham Islands",
          "(UTC+13:00) Coordinated Universal Time+13",
          "(UTC+13:00) Nuku'alofa",
          "(UTC+13:00) Samoa",
          "(UTC+14:00) Kiritimati Island"
        ]
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "SetWindowsTimeZone",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[WindowsTimeZone]WindowsTimeZone1;TimeZone', '=', parameters('TimeZone')))]"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "type": {
                  "value": "[field('type')]"
                },
                "configurationName": {
                  "value": "SetWindowsTimeZone"
                },
                "TimeZone": {
                  "value": "[parameters('TimeZone')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "configurationName": {
                    "type": "string"
                  },
                  "TimeZone": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "assignmentType": "DeployAndAutoCorrect",
                        "configurationParameter": [
                          {
                            "name": "[WindowsTimeZone]WindowsTimeZone1;TimeZone",
                            "value": "[parameters('TimeZone')]"
                          }
                        ]
                      }
                    }
                  },
                  {
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "assignmentType": "DeployAndAutoCorrect",
                        "configurationParameter": [
                          {
                            "name": "[WindowsTimeZone]WindowsTimeZone1;TimeZone",
                            "value": "[parameters('TimeZone')]"
                          }
                        ]
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6141c932-9384-44c6-a395-59e4c057d7c9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6141c932-9384-44c6-a395-59e4c057d7c9"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure virtual machines to be onboarded to Azure Automanage",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope.",
    "metadata": {
      "version": "4.1.0",
      "category": "Automanage"
    },
    "parameters": {
      "automanageAccount": {
        "type": "String",
        "metadata": {
          "displayName": "Automanage account",
          "description": "The Automanage account is an Azure managed identity under which virtual machine operations are performed. If this account is outside of the scope of the assignment you must manually grant 'Contributor' permissions (or similar) on the account to the policy assignment's principal ID.",
          "strongType": "Microsoft.Automanage/accounts",
          "assignPermissions": true
        }
      },
      "configurationProfileAssignment": {
        "type": "String",
        "metadata": {
          "displayName": "Configuration profile",
          "description": "The management services provided are based on whether the machine is intended to be used in a dev/test environment or production."
        },
        "allowedValues": [
          "Azure virtual machine best practices – Production",
          "Azure virtual machine best practices – Dev/test"
        ],
        "defaultValue": "Azure virtual machine best practices – Production"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "location",
            "in": [
              "eastus",
              "eastus2",
              "westus",
              "westus2",
              "centralus",
              "southcentralus",
              "westcentralus",
              "northeurope",
              "westeurope",
              "canadacentral",
              "japaneast",
              "uksouth",
              "australiaeast",
              "australiasoutheast",
              "southeastasia"
            ]
          },
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imagePublisher",
                "in": [
                  "esri",
                  "incredibuild",
                  "MicrosoftDynamicsAX",
                  "MicrosoftSharepoint",
                  "MicrosoftVisualStudio",
                  "MicrosoftWindowsDesktop",
                  "MicrosoftWindowsServerHPCPack"
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "2008*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "notLike": "SQL2008*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-dsvm"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "dsvm-windows"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "standard-data-science-vm",
                      "windows-data-science-vm"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "batch"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "rendering-windows2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "center-for-internet-security-inc"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "cis-windows-server-201*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "pivotal"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "bosh-windows-server*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloud-infrastructure-services"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "ad*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                        "exists": "true"
                      },
                      {
                        "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                        "like": "Windows*"
                      }
                    ]
                  },
                  {
                    "field": "Microsoft.Compute/virtualMachines/storageProfile.imageReference.id",
                    "exists": "true"
                  },
                  {
                    "field": "Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku",
                    "exists": "false"
                  }
                ]
              },
              {
                "field": "Microsoft.Compute/imagePublisher",
                "in": [
                  "microsoft-aks",
                  "qubole-inc",
                  "datastax",
                  "couchbase",
                  "scalegrid",
                  "checkpoint",
                  "paloaltonetworks",
                  "debian"
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "CentOS*"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "CentOS*"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "8*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-HA",
                      "RHEL-SAP",
                      "RHEL-SAP-APPS",
                      "RHEL-SAP-HA",
                      "RHEL-SAP-HANA",
                      "rhel-raw"
                    ]
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-HA",
                      "RHEL-SAP",
                      "RHEL-SAP-APPS",
                      "RHEL-SAP-HA",
                      "RHEL-SAP-HANA",
                      "rhel-raw"
                    ]
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "8*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "osa",
                      "rhel-byos"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "center-for-internet-security-inc"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "cis-centos-7-l1",
                      "cis-centos-7-v2-1-1-l1",
                      "cis-nginx-centos-7-v1-1-0-l1",
                      "cis-oracle-linux-7-v2-0-0-l1",
                      "cis-postgresql-11-centos-linux-7-level-1",
                      "cis-rhel-7-l2",
                      "cis-rhel-7-v2-2-0-l1",
                      "cis-suse-linux-12-v2-0-0-l1",
                      "cis-ubuntu-linux-1604-v1-0-0-l1",
                      "cis-ubuntu-linux-1804-l1"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "credativ"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Suse"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "SLES*"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "11*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Suse"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "SLES*"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "15*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "12*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-dsvm"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "linux-data-science-vm-ubuntu",
                      "azureml"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-altus-centos-os"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "linux*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                        "exists": "true"
                      },
                      {
                        "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                        "like": "Linux*"
                      }
                    ]
                  },
                  {
                    "field": "Microsoft.Compute/virtualMachines/storageProfile.imageReference.id",
                    "exists": "true"
                  },
                  {
                    "field": "Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku",
                    "exists": "false"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Automanage/configurationProfileAssignments",
          "name": "default",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Automanage/configurationProfileAssignments/configurationProfile",
                "equals": "[parameters('configurationProfileAssignment')]"
              },
              {
                "field": "Microsoft.Automanage/configurationProfileAssignments/accountId",
                "equals": "[parameters('automanageAccount')]"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "machineName": {
                  "value": "[field('Name')]"
                },
                "automanageAccount": {
                  "value": "[parameters('automanageAccount')]"
                },
                "configurationProfileAssignment": {
                  "value": "[parameters('configurationProfileAssignment')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "machineName": {
                    "type": "String"
                  },
                  "automanageAccount": {
                    "type": "string"
                  },
                  "configurationProfileAssignment": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachines/providers/configurationProfileAssignments",
                    "apiVersion": "2020-06-30-preview",
                    "name": "[concat(parameters('machineName'), '/Microsoft.Automanage/', 'default')]",
                    "properties": {
                      "configurationProfile": "[parameters('configurationProfileAssignment')]",
                      "accountId": "[parameters('automanageAccount')]"
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/270610db-8c04-438a-a739-e8e6745b22d3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "270610db-8c04-438a-a739-e8e6745b22d3"
}
BuiltIn Automanage False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Configure Windows virtual machines with Azure Monitor Agent",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy Azure Monitor Agent for Windows virtual machines if the virtual machine image (OS) and location are in the list defined and the agent is not installed. The list of OS images is updated over time as support is increased.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "listOfWindowsImageIdToInclude": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Windows OS to add to scope",
          "description": "Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "location",
            "in": [
              "australiacentral",
              "australiaeast",
              "australiasoutheast",
              "brazilsouth",
              "canadacentral",
              "canadaeast",
              "centralindia",
              "centralus",
              "eastasia",
              "eastus2euap",
              "eastus",
              "eastus2",
              "francecentral",
              "germanywestcentral",
              "japaneast",
              "japanwest",
              "jioindiawest",
              "koreacentral",
              "koreasouth",
              "northcentralus",
              "northeurope",
              "norwayeast",
              "southafricanorth",
              "southcentralus",
              "southeastasia",
              "southindia",
              "switzerlandnorth",
              "uaenorth",
              "uksouth",
              "ukwest",
              "westcentralus",
              "westeurope",
              "westindia",
              "westus",
              "westus2"
            ]
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imageId",
                "in": "[parameters('listOfWindowsImageIdToInclude')]"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "2008-R2-SP1",
                      "2008-R2-SP1-smalldisk",
                      "2012-Datacenter",
                      "2012-Datacenter-smalldisk",
                      "2012-R2-Datacenter",
                      "2012-R2-Datacenter-smalldisk",
                      "2016-Datacenter",
                      "2016-Datacenter-Server-Core",
                      "2016-Datacenter-Server-Core-smalldisk",
                      "2016-Datacenter-smalldisk",
                      "2016-Datacenter-with-Containers",
                      "2016-Datacenter-with-RDSH",
                      "2019-Datacenter",
                      "2019-Datacenter-Core",
                      "2019-Datacenter-Core-smalldisk",
                      "2019-Datacenter-Core-with-Containers",
                      "2019-Datacenter-Core-with-Containers-smalldisk",
                      "2019-Datacenter-smalldisk",
                      "2019-Datacenter-with-Containers",
                      "2019-Datacenter-with-Containers-smalldisk",
                      "2019-Datacenter-zhcn"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerSemiAnnual"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "Datacenter-Core-1709-smalldisk",
                      "Datacenter-Core-1709-with-Containers-smalldisk",
                      "Datacenter-Core-1803-with-Containers-smalldisk"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServerHPCPack"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerHPCPack"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2019"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2019-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2-BYOL"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftRServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "MLServer-WS2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftVisualStudio"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "VisualStudio",
                      "Windows"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-U8"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "windows-data-science-vm"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsDesktop"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Windows-10"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "AzureMonitorWindowsAgent"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Monitor"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vmExtensionName": "AzureMonitorWindowsAgent",
                  "vmExtensionPublisher": "Microsoft.Azure.Monitor",
                  "vmExtensionType": "AzureMonitorWindowsAgent",
                  "vmExtensionTypeHandlerVersion": "1.0"
                },
                "resources": [
                  {
                    "name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "apiVersion": "2019-07-01",
                    "properties": {
                      "publisher": "[variables('vmExtensionPublisher')]",
                      "type": "[variables('vmExtensionType')]",
                      "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    }
                  }
                ]
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ca817e41-e85a-4783-bc7f-dc532d36235e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ca817e41-e85a-4783-bc7f-dc532d36235e"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a true 2 Configure Azure Monitor Agent to Windows virtual machines and associate to Data Collection Rule (/providers/microsoft.authorization/policysetdefinitions/9575b8b7-78ab-4281-b53b-d3c1ace2260b), [Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines (/providers/microsoft.authorization/policysetdefinitions/a15f3269-2e10-458c-87a4-d5989e678a73) 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "Connection throttling should be enabled for PostgreSQL database servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforPostgreSQL/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforPostgreSQL/servers/configurations",
          "name": "connection_throttling",
          "existenceCondition": {
            "field": "Microsoft.DBforPostgreSQL/servers/configurations/value",
            "equals": "ON"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5345bb39-67dc-4960-a1bf-427e16b9a0bd"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 2 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c) n/a
{
  "properties": {
    "displayName": "Container registries should be encrypted with a customer-managed key",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK.",
    "metadata": {
      "version": "1.1.2",
      "category": "Container Registry"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerRegistry/registries"
          },
          {
            "field": "Microsoft.ContainerRegistry/registries/encryption.status",
            "notEquals": "enabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580"
}
BuiltIn Container Registry False False n/a n/a Audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Container registries should have exports disabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://aka.ms/acr/export-policy.",
    "metadata": {
      "version": "1.0.0",
      "category": "Container Registry"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerRegistry/registries"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.ContainerRegistry/registries/policies.exportPolicy.status",
                "notEquals": "Disabled"
              },
              {
                "field": "Microsoft.ContainerRegistry/registries/publicNetworkAccess",
                "notEquals": "Disabled"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "524b0254-c285-4903-bee6-bb8126cde579"
}
BuiltIn Container Registry False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Container registries should have local authentication methods disabled.",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling local authentication methods improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication.",
    "metadata": {
      "version": "1.0.0",
      "category": "Container Registry"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerRegistry/registries"
          },
          {
            "field": "Microsoft.ContainerRegistry/registries/adminUserEnabled",
            "equals": true
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "dc921057-6b28-4fbe-9b83-f7bec05db6c2"
}
BuiltIn Container Registry False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Container registries should have SKUs that support Private Links",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://aka.ms/acr/private-link.",
    "metadata": {
      "version": "1.0.0",
      "category": "Container Registry"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerRegistry/registries"
          },
          {
            "field": "Microsoft.ContainerRegistry/registries/sku.name",
            "notEquals": "Premium"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bd560fc0-3c69-498a-ae9f-aa8eb7de0e13"
}
BuiltIn Container Registry False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Container registries should not allow unrestricted network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet.",
    "metadata": {
      "version": "1.1.0",
      "category": "Container Registry"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerRegistry/registries"
          },
          {
            "anyof": [
              {
                "field": "Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction",
                "exists": "false"
              },
              {
                "field": "Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction",
                "equals": "Allow"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d0793b48-0edc-4296-a390-4c75d1bdfd71"
}
BuiltIn Container Registry False False n/a n/a Audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Container registries should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.",
    "metadata": {
      "version": "1.0.1",
      "category": "Container Registry"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerRegistry/registries"
          },
          {
            "count": {
              "field": "Microsoft.ContainerRegistry/registries/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.ContainerRegistry/registries/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e8eef0a8-67cf-4eb4-9386-14b0e78733d4"
}
BuiltIn Container Registry False False n/a n/a Audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "CORS should not allow every domain to access your API for FHIR",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect.",
    "metadata": {
      "version": "1.0.0",
      "category": "API for FHIR"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "audit",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.HealthcareApis/services"
          },
          {
            "not": {
              "field": "Microsoft.HealthcareApis/services/corsConfiguration.origins[*]",
              "notEquals": "*"
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0fea8f8a-4169-495d-8307-30ec335f387d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0fea8f8a-4169-495d-8307-30ec335f387d"
}
BuiltIn API for FHIR False False n/a n/a audit false 0 n/a true 1 [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "CORS should not allow every resource to access your API App",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.cors.allowedOrigins[*]",
            "notEquals": "*"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "358c20a6-3f9e-4f0e-97ff-c6ce485e2aac"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "CORS should not allow every resource to access your Function Apps",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "functionapp*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.cors.allowedOrigins[*]",
            "notEquals": "*"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0820b7b9-23aa-4725-a1ce-ae4558f718e5"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "CORS should not allow every resource to access your Web Applications",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.cors.allowedOrigins[*]",
            "notEquals": "*"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5744710e-cc2f-4ee8-8809-3b11e89f4bc9"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 15 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Cosmos DB database accounts should have local authentication methods disabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "field": "Microsoft.DocumentDB/databaseAccounts/disableLocalAuth",
            "notEquals": true
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5450f5bd-9c72-4390-a9c4-a7aba4edfdd2"
}
BuiltIn Cosmos DB False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Cosmos DB should use a virtual network service endpoint",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any Cosmos DB not configured to use a virtual network service endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "field": "Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*].id",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a true 2 [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) n/a
{
  "properties": {
    "displayName": "CosmosDB accounts should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "count": {
              "field": "Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/58440f8a-10c5-4151-bdce-dfbaad4a20b7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "58440f8a-10c5-4151-bdce-dfbaad4a20b7"
}
BuiltIn Cosmos DB False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Create NSG Rule",
    "policyType": "Custom",
    "mode": "All",
    "metadata": {
      "createdBy": "acf4c68f-7b15-4d70-935b-26116fc2426a",
      "createdOn": "2021-05-18T18:01:38.7866652Z",
      "updatedBy": "acf4c68f-7b15-4d70-935b-26116fc2426a",
      "updatedOn": "2021-05-18T18:22:00.499589Z",
      "category": "CUST_NSG"
    },
    "parameters": {
      "name": {
        "type": "String",
        "metadata": {
          "displayName": "name",
          "description": null
        }
      },
      "protocol": {
        "type": "String",
        "metadata": {
          "displayName": "protocol",
          "description": null
        }
      },
      "access": {
        "type": "String",
        "metadata": {
          "displayName": "access",
          "description": null
        }
      },
      "priority": {
        "type": "String",
        "metadata": {
          "displayName": "priority",
          "description": null
        }
      },
      "direction": {
        "type": "String",
        "metadata": {
          "displayName": "direction",
          "description": null
        }
      },
      "sourcePortRanges": {
        "type": "Array",
        "metadata": {
          "displayName": "sourcePortRanges",
          "description": null
        }
      },
      "destinationPortRanges": {
        "type": "Array",
        "metadata": {
          "displayName": "destinationPortRanges",
          "description": null
        }
      },
      "sourceAddressPrefixes": {
        "type": "Array",
        "metadata": {
          "displayName": "sourceAddressPrefixes",
          "description": null
        }
      },
      "destinationAddressPrefixes": {
        "type": "Array",
        "metadata": {
          "displayName": "destinationAddressPrefixes",
          "description": null
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkSecurityGroups"
          }
        ]
      },
      "then": {
        "effect": "append",
        "details": [
          {
            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
            "value": {
              "name": "[parameters('name')]",
              "properties": {
                "protocol": "[parameters('protocol')]",
                "sourcePortRange": "[if(equals(length(parameters('sourcePortRanges')), 1), first(parameters('sourcePortRanges')), '')]",
                "destinationPortRange": "[if(equals(length(parameters('destinationPortRanges')), 1), first(parameters('destinationPortRanges')), '')]",
                "sourceAddressPrefix": "[if(equals(length(parameters('sourceAddressPrefixes')), 1), first(parameters('sourceAddressPrefixes')), '')]",
                "destinationAddressPrefix": "[if(equals(length(parameters('destinationAddressPrefixes')), 1), first(parameters('destinationAddressPrefixes')), '')]",
                "access": "[parameters('access')]",
                "priority": "[parameters('priority')]",
                "direction": "[parameters('direction')]",
                "sourcePortRanges": "[if(greater(length(parameters('sourcePortRanges')), 1), parameters('sourcePortRanges'), take(parameters('sourcePortRanges'),0))]",
                "destinationPortRanges": "[if(greater(length(parameters('destinationPortRanges')), 1), parameters('destinationPortRanges'), take(parameters('destinationPortRanges'),0))]",
                "sourceAddressPrefixes": "[if(greater(length(parameters('sourceAddressPrefixes')), 1), parameters('sourceAddressPrefixes'), take(parameters('sourceAddressPrefixes'),0))]",
                "destinationAddressPrefixes": "[if(greater(length(parameters('destinationAddressPrefixes')), 1), parameters('destinationAddressPrefixes'), take(parameters('destinationAddressPrefixes'),0))]"
              }
            }
          }
        ]
      }
    }
  },
  "id": "/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/providers/Microsoft.Authorization/policyDefinitions/4e7e976d-d94c-47a3-a534-392c641cecd8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4e7e976d-d94c-47a3-a534-392c641cecd8"
}
Custom CUST_NSG False False Sub f28ba982-5ed0-4033-9bdf-e45e4b5df466 (management) n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Custom subscription owner roles should not exist",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy ensures that no custom subscription owner roles exist.",
    "metadata": {
      "version": "2.0.0",
      "category": "General"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Authorization/roleDefinitions"
          },
          {
            "field": "Microsoft.Authorization/roleDefinitions/type",
            "equals": "CustomRole"
          },
          {
            "anyOf": [
              {
                "not": {
                  "field": "Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]",
                  "notEquals": "*"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Authorization/roleDefinitions/permissions.actions[*]",
                  "notEquals": "*"
                }
              }
            ]
          },
          {
            "anyOf": [
              {
                "not": {
                  "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
                  "notIn": [
                    "[concat(subscription().id,'/')]",
                    "[subscription().id]",
                    "/"
                  ]
                }
              },
              {
                "not": {
                  "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
                  "notLike": "/providers/Microsoft.Management/*"
                }
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9"
}
BuiltIn General False False n/a n/a Audit false 0 n/a true 4 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b) n/a
{
  "properties": {
    "displayName": "Deny the creation of private DNS",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.590183Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/privateDnsZones"
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny-Private-DNS-Zones"
}
Custom Network False False Mg ESJH (ESJH) Deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Deny the creation of public IP",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies creation of Public IPs under the assigned scope.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5671925Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/publicIPAddresses"
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny-PublicIP"
}
Custom Network False False Mg ESJH (ESJH) Deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Deny vNet peering ",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies the creation of vNet Peerings under the assigned scope.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.6692035Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-ERPeering",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny-ERPeering"
}
Custom Network False False Mg ESJH (ESJH) Deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Dependency agent should be enabled for listed virtual machine images",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "listOfImageIdToInclude_windows": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Windows OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "listOfImageIdToInclude_linux": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "not": {
              "anyOf": [
                {
                  "field": "Microsoft.Compute/imageId",
                  "in": "[parameters('listOfImageIdToInclude_windows')]"
                },
                {
                  "field": "Microsoft.Compute/imageId",
                  "in": "[parameters('listOfImageIdToInclude_linux')]"
                },
                {
                  "anyOf": [
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "WindowsServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "2008-R2-SP1",
                            "2008-R2-SP1-smalldisk",
                            "2012-Datacenter",
                            "2012-Datacenter-smalldisk",
                            "2012-R2-Datacenter",
                            "2012-R2-Datacenter-smalldisk",
                            "2016-Datacenter",
                            "2016-Datacenter-Server-Core",
                            "2016-Datacenter-Server-Core-smalldisk",
                            "2016-Datacenter-smalldisk",
                            "2016-Datacenter-with-Containers",
                            "2016-Datacenter-with-RDSH",
                            "2019-Datacenter",
                            "2019-Datacenter-Core",
                            "2019-Datacenter-Core-smalldisk",
                            "2019-Datacenter-Core-with-Containers",
                            "2019-Datacenter-Core-with-Containers-smalldisk",
                            "2019-Datacenter-smalldisk",
                            "2019-Datacenter-with-Containers",
                            "2019-Datacenter-with-Containers-smalldisk",
                            "2019-Datacenter-zhcn"
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "WindowsServerSemiAnnual"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "Datacenter-Core-1709-smalldisk",
                            "Datacenter-Core-1709-with-Containers-smalldisk",
                            "Datacenter-Core-1803-with-Containers-smalldisk"
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsServerHPCPack"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "WindowsServerHPCPack"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftSQLServer"
                        },
                        {
                          "anyOf": [
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2016"
                            },
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2016-BYOL"
                            },
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2012R2"
                            },
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2012R2-BYOL"
                            }
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftRServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "MLServer-WS2016"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftVisualStudio"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "in": [
                            "VisualStudio",
                            "Windows"
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftDynamicsAX"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "Dynamics"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "equals": "Pre-Req-AX7-Onebox-U8"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftDynamicsAX"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "Dynamics"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "equals": "Pre-Req-AX7-Onebox-V4"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "microsoft-ads"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "windows-data-science-vm"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsDesktop"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "Windows-10"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "RedHat"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "RHEL",
                        "RHEL-SAP-HANA"
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "6.*"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "7*"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "SUSE"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "SLES",
                        "SLES-HPC",
                        "SLES-HPC-Priority",
                        "SLES-SAP",
                        "SLES-SAP-BYOS",
                        "SLES-Priority",
                        "SLES-BYOS",
                        "SLES-SAPCAL",
                        "SLES-Standard"
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "12-SP2",
                            "12-SP3",
                            "12-SP4"
                          ]
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "Canonical"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "UbuntuServer"
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "14.04.0-LTS",
                            "14.04.1-LTS",
                            "14.04.5-LTS"
                          ]
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "16.04-LTS",
                            "16.04.0-LTS"
                          ]
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "18.04-LTS"
                          ]
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "OpenLogic"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "Centos",
                        "Centos-LVM",
                        "CentOS-SRIOV"
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "6.*"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "7*"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "cloudera"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "cloudera-centos-os"
                    },
                    {
                      "field": "Microsoft.Compute/imageSKU",
                      "like": "7*"
                    }
                  ]
                }
              ]
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
            "equals": "Microsoft.Azure.Monitoring.DependencyAgent"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "11ac78e3-31bc-4f0c-8434-37ab963cea07"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a true 2 Enable Azure Monitor for VMs (/providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2) n/a
{
  "properties": {
    "displayName": "Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "listOfImageIdToInclude_windows": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Windows OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "listOfImageIdToInclude_linux": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachineScaleSets"
          },
          {
            "not": {
              "anyOf": [
                {
                  "field": "Microsoft.Compute/imageId",
                  "in": "[parameters('listOfImageIdToInclude_windows')]"
                },
                {
                  "field": "Microsoft.Compute/imageId",
                  "in": "[parameters('listOfImageIdToInclude_linux')]"
                },
                {
                  "anyOf": [
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "WindowsServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "2008-R2-SP1",
                            "2008-R2-SP1-smalldisk",
                            "2012-Datacenter",
                            "2012-Datacenter-smalldisk",
                            "2012-R2-Datacenter",
                            "2012-R2-Datacenter-smalldisk",
                            "2016-Datacenter",
                            "2016-Datacenter-Server-Core",
                            "2016-Datacenter-Server-Core-smalldisk",
                            "2016-Datacenter-smalldisk",
                            "2016-Datacenter-with-Containers",
                            "2016-Datacenter-with-RDSH",
                            "2019-Datacenter",
                            "2019-Datacenter-Core",
                            "2019-Datacenter-Core-smalldisk",
                            "2019-Datacenter-Core-with-Containers",
                            "2019-Datacenter-Core-with-Containers-smalldisk",
                            "2019-Datacenter-smalldisk",
                            "2019-Datacenter-with-Containers",
                            "2019-Datacenter-with-Containers-smalldisk",
                            "2019-Datacenter-zhcn"
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "WindowsServerSemiAnnual"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "Datacenter-Core-1709-smalldisk",
                            "Datacenter-Core-1709-with-Containers-smalldisk",
                            "Datacenter-Core-1803-with-Containers-smalldisk"
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsServerHPCPack"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "WindowsServerHPCPack"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftSQLServer"
                        },
                        {
                          "anyOf": [
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2016"
                            },
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2016-BYOL"
                            },
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2012R2"
                            },
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2012R2-BYOL"
                            }
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftRServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "MLServer-WS2016"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftVisualStudio"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "in": [
                            "VisualStudio",
                            "Windows"
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftDynamicsAX"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "Dynamics"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "equals": "Pre-Req-AX7-Onebox-U8"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftDynamicsAX"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "Dynamics"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "equals": "Pre-Req-AX7-Onebox-V4"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "microsoft-ads"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "windows-data-science-vm"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsDesktop"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "Windows-10"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "RedHat"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "RHEL",
                        "RHEL-SAP-HANA"
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "6.*"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "7*"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "SUSE"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "SLES",
                        "SLES-HPC",
                        "SLES-HPC-Priority",
                        "SLES-SAP",
                        "SLES-SAP-BYOS",
                        "SLES-Priority",
                        "SLES-BYOS",
                        "SLES-SAPCAL",
                        "SLES-Standard"
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "12-SP2",
                            "12-SP3",
                            "12-SP4"
                          ]
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "Canonical"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "UbuntuServer"
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "14.04.0-LTS",
                            "14.04.1-LTS",
                            "14.04.5-LTS"
                          ]
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "16.04-LTS",
                            "16.04.0-LTS"
                          ]
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "18.04-LTS"
                          ]
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "OpenLogic"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "Centos",
                        "Centos-LVM",
                        "CentOS-SRIOV"
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "6.*"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "7*"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "cloudera"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "cloudera-centos-os"
                    },
                    {
                      "field": "Microsoft.Compute/imageSKU",
                      "like": "7*"
                    }
                  ]
                }
              ]
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
          "existenceCondition": {
            "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher",
            "equals": "Microsoft.Azure.Monitoring.DependencyAgent"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e2dd799a-a932-4e9d-ac17-d473bc3c6c10"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a true 3 [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), Enable Azure Monitor for Virtual Machine Scale Sets (/providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2) n/a
{
  "properties": {
    "displayName": "Deploy - Configure Azure Event Grid domains to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone.",
    "metadata": {
      "version": "1.0.0",
      "category": "Event Grid"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone ID",
          "description": "Specifies the private DNS zone to use to configure private endpoint",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "deployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "domain"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "domain-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d389df0a-e0d7-4607-833c-75a6fdac2c2d"
}
BuiltIn Event Grid False False n/a n/a deployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Deploy - Configure Azure Event Grid domains with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.",
    "metadata": {
      "version": "1.0.0",
      "category": "Event Grid"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "Specifies the subnet to use to configure private endpoint",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.EventGrid/domains"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.EventGrid/domains/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.EventGrid/domains/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "domain"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/36f4658a-848a-467b-881c-e6fa20cf75fc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "36f4658a-848a-467b-881c-e6fa20cf75fc"
}
BuiltIn Event Grid False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'EventGrid Contributor' (1e241071-0855-49ea-94dc-649edcd759de)
{
  "properties": {
    "displayName": "Deploy - Configure Azure Event Grid topics to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone.",
    "metadata": {
      "version": "1.0.0",
      "category": "Event Grid"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone ID",
          "description": "Specifies the private DNS zone to use to configure private endpoint",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "deployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "topic"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "topic-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "baf19753-7502-405f-8745-370519b20483"
}
BuiltIn Event Grid False False n/a n/a deployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Deploy - Configure Azure Event Grid topics with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.",
    "metadata": {
      "version": "1.0.0",
      "category": "Event Grid"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "Specifies the subnet to use to configure private endpoint",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.EventGrid/topics"
          },
          {
            "field": "kind",
            "notEquals": "AzureArc"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.EventGrid/topics/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.EventGrid/topics/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "topic"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6fcec95c-fbdf-45e8-91e1-e3175d9c9eca",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6fcec95c-fbdf-45e8-91e1-e3175d9c9eca"
}
BuiltIn Event Grid False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'EventGrid Contributor' (1e241071-0855-49ea-94dc-649edcd759de)
{
  "properties": {
    "displayName": "Deploy - Configure Azure IoT Hubs to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints.",
    "metadata": {
      "version": "1.0.0",
      "category": "Internet of Things"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone ID",
          "description": "Specifies the private DNS zone to use to configure private endpoint",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "disabled"
        ],
        "defaultValue": "deployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "iotHub"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "privatelink.azure-devices.net",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02"
}
BuiltIn Internet of Things False False n/a n/a deployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy - Configure Azure IoT Hubs with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT hub to allow services inside your virtual network to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Internet of Things"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Devices/IotHubs"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Devices/IotHubs/PrivateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Devices/IotHubs/PrivateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                  "value": "[field('name')]"
                },
                "serviceId": {
                  "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                  "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                            "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                            "location": "[parameters('subnetLocation')]",
                            "tags": {},
                            "properties": {
                              "subnet": {
                                "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                  "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                    "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "iotHub"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": []
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                          "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                          "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                          "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bf684997-3909-404e-929c-d4a38ed23b2e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bf684997-3909-404e-929c-d4a38ed23b2e"
}
BuiltIn Internet of Things False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7), 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "listOfImageIdToInclude": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Windows OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachineScaleSets"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imageId",
                "in": "[parameters('listOfImageIdToInclude')]"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "2008-R2-SP1",
                      "2008-R2-SP1-smalldisk",
                      "2012-Datacenter",
                      "2012-Datacenter-smalldisk",
                      "2012-R2-Datacenter",
                      "2012-R2-Datacenter-smalldisk",
                      "2016-Datacenter",
                      "2016-Datacenter-Server-Core",
                      "2016-Datacenter-Server-Core-smalldisk",
                      "2016-Datacenter-smalldisk",
                      "2016-Datacenter-with-Containers",
                      "2016-Datacenter-with-RDSH",
                      "2019-Datacenter",
                      "2019-Datacenter-Core",
                      "2019-Datacenter-Core-smalldisk",
                      "2019-Datacenter-Core-with-Containers",
                      "2019-Datacenter-Core-with-Containers-smalldisk",
                      "2019-Datacenter-smalldisk",
                      "2019-Datacenter-with-Containers",
                      "2019-Datacenter-with-Containers-smalldisk",
                      "2019-Datacenter-zhcn"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerSemiAnnual"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "Datacenter-Core-1709-smalldisk",
                      "Datacenter-Core-1709-with-Containers-smalldisk",
                      "Datacenter-Core-1803-with-Containers-smalldisk"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServerHPCPack"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerHPCPack"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2-BYOL"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftRServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "MLServer-WS2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftVisualStudio"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "VisualStudio",
                      "Windows"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-U8"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-V4"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "windows-data-science-vm"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsDesktop"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Windows-10"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type",
                "equals": "DependencyAgentWindows"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher",
                "equals": "Microsoft.Azure.Monitoring.DependencyAgent"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vmExtensionName": "DependencyAgentWindows",
                  "vmExtensionPublisher": "Microsoft.Azure.Monitoring.DependencyAgent",
                  "vmExtensionType": "DependencyAgentWindows",
                  "vmExtensionTypeHandlerVersion": "9.7"
                },
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
                    "name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
                    "apiVersion": "2018-06-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "[variables('vmExtensionPublisher')]",
                      "type": "[variables('vmExtensionType')]",
                      "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]",
                      "autoUpgradeMinorVersion": true
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled extension for: ', parameters('vmName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3be22e3b-d919-47aa-805e-8985dbeb0ad9"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a true 1 Enable Azure Monitor for Virtual Machine Scale Sets (/providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad) 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "Deploy - Configure Dependency agent to be enabled on Windows virtual machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "listOfImageIdToInclude": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Windows OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imageId",
                "in": "[parameters('listOfImageIdToInclude')]"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "2008-R2-SP1",
                      "2008-R2-SP1-smalldisk",
                      "2012-Datacenter",
                      "2012-Datacenter-smalldisk",
                      "2012-R2-Datacenter",
                      "2012-R2-Datacenter-smalldisk",
                      "2016-Datacenter",
                      "2016-Datacenter-Server-Core",
                      "2016-Datacenter-Server-Core-smalldisk",
                      "2016-Datacenter-smalldisk",
                      "2016-Datacenter-with-Containers",
                      "2016-Datacenter-with-RDSH",
                      "2019-Datacenter",
                      "2019-Datacenter-Core",
                      "2019-Datacenter-Core-smalldisk",
                      "2019-Datacenter-Core-with-Containers",
                      "2019-Datacenter-Core-with-Containers-smalldisk",
                      "2019-Datacenter-smalldisk",
                      "2019-Datacenter-with-Containers",
                      "2019-Datacenter-with-Containers-smalldisk",
                      "2019-Datacenter-zhcn"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerSemiAnnual"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "Datacenter-Core-1709-smalldisk",
                      "Datacenter-Core-1709-with-Containers-smalldisk",
                      "Datacenter-Core-1803-with-Containers-smalldisk"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServerHPCPack"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerHPCPack"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2-BYOL"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftRServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "MLServer-WS2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftVisualStudio"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "VisualStudio",
                      "Windows"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-U8"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-V4"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "windows-data-science-vm"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsDesktop"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Windows-10"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "DependencyAgentWindows"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Monitoring.DependencyAgent"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vmExtensionName": "DependencyAgentWindows",
                  "vmExtensionPublisher": "Microsoft.Azure.Monitoring.DependencyAgent",
                  "vmExtensionType": "DependencyAgentWindows",
                  "vmExtensionTypeHandlerVersion": "9.6"
                },
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
                    "apiVersion": "2018-06-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "[variables('vmExtensionPublisher')]",
                      "type": "[variables('vmExtensionType')]",
                      "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]",
                      "autoUpgradeMinorVersion": true
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled extension for VM', ': ', parameters('vmName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1c210e94-a481-4beb-95fa-1571b434fb04"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a true 1 Enable Azure Monitor for VMs (/providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a) 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "1.0.1",
      "category": "Key Vault"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "diagnosticsSettingNameToUse": {
        "type": "String",
        "metadata": {
          "displayName": "Setting name",
          "description": "Name of the diagnostic settings."
        },
        "defaultValue": "AzureKeyVaultDiagnosticsLogsToWorkspace"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Specify the Log Analytics workspace the Key Vault should be connected to.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "AuditEventEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "AuditEvent - Enabled",
          "description": "Whether to stream AuditEvent logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "AllMetricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "AllMetrics - Enabled",
          "description": "Whether to stream AllMetrics logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.KeyVault/vaults"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "anyof": [
                  {
                    "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                    "equals": "True"
                  },
                  {
                    "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                    "equals": "True"
                  }
                ]
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "diagnosticsSettingNameToUse": {
                    "type": "string"
                  },
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "AuditEventEnabled": {
                    "type": "string"
                  },
                  "AllMetricsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.KeyVault/vaults/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('diagnosticsSettingNameToUse'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('AllMetricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "AuditEvent",
                          "enabled": "[parameters('AuditEventEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "diagnosticsSettingNameToUse": {
                  "value": "[parameters('diagnosticsSettingNameToUse')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "AuditEventEnabled": {
                  "value": "[parameters('AuditEventEnabled')]"
                },
                "AllMetricsEnabled": {
                  "value": "[parameters('AllMetricsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/951af2fa-529b-416e-ab6e-066fd85ac459",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "951af2fa-529b-416e-ab6e-066fd85ac459"
}
BuiltIn Key Vault False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace.",
    "metadata": {
      "version": "1.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "diagnosticsSettingNameToUse": {
        "type": "String",
        "metadata": {
          "displayName": "Setting name",
          "description": "Name of the diagnostic settings."
        },
        "defaultValue": "AzureKubernetesDiagnosticsLogsToWorkspace"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Specify the Log Analytics workspace the Azure Kubernetes Service should be connected to",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "AllMetrics": {
        "type": "String",
        "metadata": {
          "displayName": "AllMetrics - Enabled",
          "description": "Whether to stream AllMetrics logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "kube-apiserver": {
        "type": "String",
        "metadata": {
          "displayName": "kube-apiserver - Enabled",
          "description": "Whether to stream kube-apiserver logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "kube-audit": {
        "type": "String",
        "metadata": {
          "displayName": "kube-audit - Enabled",
          "description": "Whether to stream kube-audit logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "kube-controller-manager": {
        "type": "String",
        "metadata": {
          "displayName": "kube-controller-manager - Enabled",
          "description": "Whether to stream kube-controller-manager logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "kube-scheduler": {
        "type": "String",
        "metadata": {
          "displayName": "kube-scheduler - Enabled",
          "description": "Whether to stream kube-scheduler logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "cluster-autoscaler": {
        "type": "String",
        "metadata": {
          "displayName": "cluster-autoscaler - Enabled",
          "description": "Whether to stream cluster-autoscaler logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "kube-audit-admin": {
        "type": "String",
        "metadata": {
          "displayName": "kube-audit-admin - Enabled",
          "description": "Whether to stream kube-audit-admin logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "guard": {
        "type": "String",
        "metadata": {
          "displayName": "guard - Enabled",
          "description": "Whether to stream guard logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "True"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "True"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "diagnosticsSettingNameToUse": {
                    "type": "string"
                  },
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "AllMetrics": {
                    "type": "string"
                  },
                  "kube-apiserver": {
                    "type": "string"
                  },
                  "kube-audit": {
                    "type": "string"
                  },
                  "kube-controller-manager": {
                    "type": "string"
                  },
                  "kube-scheduler": {
                    "type": "string"
                  },
                  "cluster-autoscaler": {
                    "type": "string"
                  },
                  "kube-audit-admin": {
                    "type": "string"
                  },
                  "guard": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.ContainerService/managedClusters/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('diagnosticsSettingNameToUse'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('AllMetrics')]"
                        }
                      ],
                      "logs": [
                        {
                          "category": "kube-apiserver",
                          "enabled": "[parameters('kube-apiserver')]"
                        },
                        {
                          "category": "kube-audit",
                          "enabled": "[parameters('kube-audit')]"
                        },
                        {
                          "category": "kube-controller-manager",
                          "enabled": "[parameters('kube-controller-manager')]"
                        },
                        {
                          "category": "kube-scheduler",
                          "enabled": "[parameters('kube-scheduler')]"
                        },
                        {
                          "category": "cluster-autoscaler",
                          "enabled": "[parameters('cluster-autoscaler')]"
                        },
                        {
                          "category": "kube-audit-admin",
                          "enabled": "[parameters('kube-audit-admin')]"
                        },
                        {
                          "category": "guard",
                          "enabled": "[parameters('guard')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "diagnosticsSettingNameToUse": {
                  "value": "[parameters('diagnosticsSettingNameToUse')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "guard": {
                  "value": "[parameters('guard')]"
                },
                "AllMetrics": {
                  "value": "[parameters('AllMetrics')]"
                },
                "kube-apiserver": {
                  "value": "[parameters('kube-apiserver')]"
                },
                "kube-audit": {
                  "value": "[parameters('kube-audit')]"
                },
                "kube-scheduler": {
                  "value": "[parameters('kube-scheduler')]"
                },
                "kube-controller-manager": {
                  "value": "[parameters('kube-controller-manager')]"
                },
                "cluster-autoscaler": {
                  "value": "[parameters('cluster-autoscaler')]"
                },
                "kube-audit-admin": {
                  "value": "[parameters('kube-audit-admin')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6c66c325-74c8-42fd-a286-a74b0e2939d8"
}
BuiltIn Kubernetes False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "1.0.1",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "diagnosticsSettingNameToUse": {
        "type": "String",
        "metadata": {
          "displayName": "Setting name",
          "description": "Name of the diagnostic settings."
        },
        "defaultValue": "SQLDatabaseDiagnosticsLogsToWorkspace"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select the Log Analytics workspace from dropdown list",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "QueryStoreRuntimeStatisticsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "QueryStoreRuntimeStatistics - Enabled",
          "description": "Whether to stream QueryStoreRuntimeStatistics logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "QueryStoreWaitStatisticsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "QueryStoreWaitStatistics - Enabled",
          "description": "Whether to stream QueryStoreWaitStatistics logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "ErrorsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Errors - Enabled",
          "description": "Whether to stream Errors logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "DatabaseWaitStatisticsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "DatabaseWaitStatistics - Enabled",
          "description": "Whether to stream DatabaseWaitStatistics logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "BlocksEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Blocks - Enabled",
          "description": "Whether to stream Blocks logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "SQLInsightsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "SQLInsights - Enabled",
          "description": "Whether to stream SQLInsights logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "SQLSecurityAuditEventsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "SQLSecurityAuditEvents - Enabled",
          "description": "Whether to stream SQLSecurityAuditEvents logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "TimeoutsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Timeouts - Enabled",
          "description": "Whether to stream Timeouts logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "AutomaticTuningEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "AutomaticTuning - Enabled",
          "description": "Whether to stream AutomaticTuning logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "DeadlocksEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Deadlocks - Enabled",
          "description": "Whether to stream Deadlocks logs to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "Basic": {
        "type": "String",
        "metadata": {
          "displayName": "Basic (metric) - Enabled",
          "description": "Whether to stream Basic metrics to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "InstanceAndAppAdvanced": {
        "type": "String",
        "metadata": {
          "displayName": "InstanceAndAppAdvanced (metric) - Enabled",
          "description": "Whether to stream InstanceAndAppAdvanced metrics to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "WorkloadManagement": {
        "type": "String",
        "metadata": {
          "displayName": "WorkloadManagement (metric) - Enabled",
          "description": "Whether to stream WorkloadManagement metrics to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers/databases"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "True"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "True"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "matchInsensitively": "[parameters('logAnalytics')]"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "diagnosticsSettingNameToUse": {
                    "type": "string"
                  },
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "Basic": {
                    "type": "string"
                  },
                  "InstanceAndAppAdvanced": {
                    "type": "string"
                  },
                  "WorkloadManagement": {
                    "type": "string"
                  },
                  "QueryStoreRuntimeStatisticsEnabled": {
                    "type": "string"
                  },
                  "QueryStoreWaitStatisticsEnabled": {
                    "type": "string"
                  },
                  "ErrorsEnabled": {
                    "type": "string"
                  },
                  "DatabaseWaitStatisticsEnabled": {
                    "type": "string"
                  },
                  "BlocksEnabled": {
                    "type": "string"
                  },
                  "SQLInsightsEnabled": {
                    "type": "string"
                  },
                  "SQLSecurityAuditEventsEnabled": {
                    "type": "string"
                  },
                  "TimeoutsEnabled": {
                    "type": "string"
                  },
                  "AutomaticTuningEnabled": {
                    "type": "string"
                  },
                  "DeadlocksEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Sql/servers/databases/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('diagnosticsSettingNameToUse'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "Basic",
                          "enabled": "[parameters('Basic')]"
                        },
                        {
                          "category": "InstanceAndAppAdvanced",
                          "enabled": "[parameters('InstanceAndAppAdvanced')]"
                        },
                        {
                          "category": "WorkloadManagement",
                          "enabled": "[parameters('WorkloadManagement')]"
                        }
                      ],
                      "logs": [
                        {
                          "category": "SQLInsights",
                          "enabled": "[parameters('SQLInsightsEnabled')]"
                        },
                        {
                          "category": "AutomaticTuning",
                          "enabled": "[parameters('AutomaticTuningEnabled')]"
                        },
                        {
                          "category": "QueryStoreRuntimeStatistics",
                          "enabled": "[parameters('QueryStoreRuntimeStatisticsEnabled')]"
                        },
                        {
                          "category": "QueryStoreWaitStatistics",
                          "enabled": "[parameters('QueryStoreWaitStatisticsEnabled')]"
                        },
                        {
                          "category": "Errors",
                          "enabled": "[parameters('ErrorsEnabled')]"
                        },
                        {
                          "category": "DatabaseWaitStatistics",
                          "enabled": "[parameters('DatabaseWaitStatisticsEnabled')]"
                        },
                        {
                          "category": "Timeouts",
                          "enabled": "[parameters('TimeoutsEnabled')]"
                        },
                        {
                          "category": "Blocks",
                          "enabled": "[parameters('BlocksEnabled')]"
                        },
                        {
                          "category": "Deadlocks",
                          "enabled": "[parameters('DeadlocksEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "Basic": {
                  "value": "[parameters('Basic')]"
                },
                "InstanceAndAppAdvanced": {
                  "value": "[parameters('InstanceAndAppAdvanced')]"
                },
                "diagnosticsSettingNameToUse": {
                  "value": "[parameters('diagnosticsSettingNameToUse')]"
                },
                "WorkloadManagement": {
                  "value": "[parameters('WorkloadManagement')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('fullName')]"
                },
                "QueryStoreRuntimeStatisticsEnabled": {
                  "value": "[parameters('QueryStoreRuntimeStatisticsEnabled')]"
                },
                "QueryStoreWaitStatisticsEnabled": {
                  "value": "[parameters('QueryStoreWaitStatisticsEnabled')]"
                },
                "ErrorsEnabled": {
                  "value": "[parameters('ErrorsEnabled')]"
                },
                "DatabaseWaitStatisticsEnabled": {
                  "value": "[parameters('DatabaseWaitStatisticsEnabled')]"
                },
                "BlocksEnabled": {
                  "value": "[parameters('BlocksEnabled')]"
                },
                "SQLInsightsEnabled": {
                  "value": "[parameters('SQLInsightsEnabled')]"
                },
                "SQLSecurityAuditEventsEnabled": {
                  "value": "[parameters('SQLSecurityAuditEventsEnabled')]"
                },
                "TimeoutsEnabled": {
                  "value": "[parameters('TimeoutsEnabled')]"
                },
                "AutomaticTuningEnabled": {
                  "value": "[parameters('AutomaticTuningEnabled')]"
                },
                "DeadlocksEnabled": {
                  "value": "[parameters('DeadlocksEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b79fa14e-238a-4c2d-b376-442ce508fc84"
}
BuiltIn SQL False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Log Analytics workspace when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_logAnalytics"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Specify the Log Analytics workspace to send log to. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.KeyVault/managedHsms"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.KeyVault/managedHsms/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "AuditEvent",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b3884c81-31aa-473d-a9bb-9466fe0ec2a0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b3884c81-31aa-473d-a9bb-9466fe0ec2a0"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Event Hub when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "1.0.0",
      "category": "Key Vault"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "eventHubRuleId": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Authorization Rule Id",
          "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}",
          "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules",
          "assignPermissions": true
        }
      },
      "eventHubLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Location",
          "description": "The location the Event Hub resides in. Only Azure Key Vault Managed HSMs in this location will be linked to this Event Hub.",
          "strongType": "location"
        },
        "defaultValue": ""
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Event Hub - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Event Hub  - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/managedHsms"
          },
          {
            "anyOf": [
              {
                "value": "[parameters('eventHubLocation')]",
                "equals": ""
              },
              {
                "field": "location",
                "equals": "[parameters('eventHubLocation')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "hsmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "eventHubRuleId": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.KeyVault/managedHsms/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('hsmName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "AuditEvent",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled diagnostic settings for ', parameters('hsmName'))]"
                  }
                }
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "hsmName": {
                  "value": "[field('name')]"
                },
                "eventHubRuleId": {
                  "value": "[parameters('eventHubRuleId')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a6d2c800-5230-4a40-bff3-8268b4987d42",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a6d2c800-5230-4a40-bff3-8268b4987d42"
}
BuiltIn Key Vault False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy - Configure Log Analytics agent to be enabled on Windows virtual machine scale sets",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy Log Analytics agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Log Analytics workspace is used to receive performance data. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "listOfImageIdToInclude": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Windows OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachineScaleSets"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imageId",
                "in": "[parameters('listOfImageIdToInclude')]"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "2008-R2-SP1",
                      "2008-R2-SP1-smalldisk",
                      "2012-Datacenter",
                      "2012-Datacenter-smalldisk",
                      "2012-R2-Datacenter",
                      "2012-R2-Datacenter-smalldisk",
                      "2016-Datacenter",
                      "2016-Datacenter-Server-Core",
                      "2016-Datacenter-Server-Core-smalldisk",
                      "2016-Datacenter-smalldisk",
                      "2016-Datacenter-with-Containers",
                      "2016-Datacenter-with-RDSH",
                      "2019-Datacenter",
                      "2019-Datacenter-Core",
                      "2019-Datacenter-Core-smalldisk",
                      "2019-Datacenter-Core-with-Containers",
                      "2019-Datacenter-Core-with-Containers-smalldisk",
                      "2019-Datacenter-smalldisk",
                      "2019-Datacenter-with-Containers",
                      "2019-Datacenter-with-Containers-smalldisk",
                      "2019-Datacenter-zhcn"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerSemiAnnual"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "Datacenter-Core-1709-smalldisk",
                      "Datacenter-Core-1709-with-Containers-smalldisk",
                      "Datacenter-Core-1803-with-Containers-smalldisk"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServerHPCPack"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerHPCPack"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2-BYOL"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftRServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "MLServer-WS2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftVisualStudio"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "VisualStudio",
                      "Windows"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-U8"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-V4"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "windows-data-science-vm"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsDesktop"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Windows-10"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type",
                "equals": "MicrosoftMonitoringAgent"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher",
                "equals": "Microsoft.EnterpriseCloud.Monitoring"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vmExtensionName": "MicrosoftMonitoringAgent",
                  "vmExtensionPublisher": "Microsoft.EnterpriseCloud.Monitoring",
                  "vmExtensionType": "MicrosoftMonitoringAgent",
                  "vmExtensionTypeHandlerVersion": "1.0"
                },
                "resources": [
                  {
                    "name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
                    "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
                    "location": "[parameters('location')]",
                    "apiVersion": "2018-06-01",
                    "properties": {
                      "publisher": "[variables('vmExtensionPublisher')]",
                      "type": "[variables('vmExtensionType')]",
                      "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]",
                      "autoUpgradeMinorVersion": true,
                      "settings": {
                        "workspaceId": "[reference(parameters('logAnalytics'), '2015-03-20').customerId]",
                        "stopOnMultipleConnections": "true"
                      },
                      "protectedSettings": {
                        "workspaceKey": "[listKeys(parameters('logAnalytics'), '2015-03-20').primarySharedKey]"
                      }
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled extension for: ', parameters('vmName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3c1b3629-c8f8-4bf6-862c-037cb9094038"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a true 1 Enable Azure Monitor for Virtual Machine Scale Sets (/providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad) 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293), 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "Deploy - Configure Log Analytics agent to be enabled on Windows virtual machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy Log Analytics agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Log Analytics workspace is used to receive performance data. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "listOfImageIdToInclude": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Windows OS to add to scope",
          "description": "Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imageId",
                "in": "[parameters('listOfImageIdToInclude')]"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "2008-R2-SP1",
                      "2008-R2-SP1-smalldisk",
                      "2012-Datacenter",
                      "2012-Datacenter-smalldisk",
                      "2012-R2-Datacenter",
                      "2012-R2-Datacenter-smalldisk",
                      "2016-Datacenter",
                      "2016-Datacenter-Server-Core",
                      "2016-Datacenter-Server-Core-smalldisk",
                      "2016-Datacenter-smalldisk",
                      "2016-Datacenter-with-Containers",
                      "2016-Datacenter-with-RDSH",
                      "2019-Datacenter",
                      "2019-Datacenter-Core",
                      "2019-Datacenter-Core-smalldisk",
                      "2019-Datacenter-Core-with-Containers",
                      "2019-Datacenter-Core-with-Containers-smalldisk",
                      "2019-Datacenter-smalldisk",
                      "2019-Datacenter-with-Containers",
                      "2019-Datacenter-with-Containers-smalldisk",
                      "2019-Datacenter-zhcn"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerSemiAnnual"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "Datacenter-Core-1709-smalldisk",
                      "Datacenter-Core-1709-with-Containers-smalldisk",
                      "Datacenter-Core-1803-with-Containers-smalldisk"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServerHPCPack"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerHPCPack"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2-BYOL"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftRServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "MLServer-WS2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftVisualStudio"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "VisualStudio",
                      "Windows"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-U8"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-V4"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "windows-data-science-vm"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsDesktop"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Windows-10"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "MicrosoftMonitoringAgent"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.EnterpriseCloud.Monitoring"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vmExtensionName": "MicrosoftMonitoringAgent",
                  "vmExtensionPublisher": "Microsoft.EnterpriseCloud.Monitoring",
                  "vmExtensionType": "MicrosoftMonitoringAgent",
                  "vmExtensionTypeHandlerVersion": "1.0"
                },
                "resources": [
                  {
                    "name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "apiVersion": "2018-06-01",
                    "properties": {
                      "publisher": "[variables('vmExtensionPublisher')]",
                      "type": "[variables('vmExtensionType')]",
                      "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]",
                      "autoUpgradeMinorVersion": true,
                      "settings": {
                        "workspaceId": "[reference(parameters('logAnalytics'), '2015-03-20').customerId]",
                        "stopOnMultipleConnections": "true"
                      },
                      "protectedSettings": {
                        "workspaceKey": "[listKeys(parameters('logAnalytics'), '2015-03-20').primarySharedKey]"
                      }
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled extension for VM', ': ', parameters('vmName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0868462e-646c-4fe3-9ced-a733534b6a2c"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a true 1 Enable Azure Monitor for VMs (/providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a) 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure SignalR Service resource. Learn more at: https://aka.ms/asrs/privatelink.",
    "metadata": {
      "version": "1.0.0",
      "category": "SignalR"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone Id",
          "description": "Private DNS zone to integrate with private endpoint.",
          "strongType": "Microsoft.Network/privateDnsZones"
        },
        "defaultValue": "privatelink.service.signalr.net"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "signalr"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "privatelink-service-signalr-net",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b0e86710-7fb7-4a6c-a064-32e9b829509e"
}
BuiltIn SignalR False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.microsoft.com/azure/batch/private-connectivity.",
    "metadata": {
      "version": "1.0.0",
      "category": "Batch"
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone",
          "strongType": "Microsoft.Network/privateDnsZones",
          "description": "The private DNS zone to deploy in a new private DNS zone group and link to the private endpoint"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "batchAccount"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "batchAccount-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4ec38ebc-381f-45ee-81a4-acbc4be878f8"
}
BuiltIn Batch False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Deploy - Configure suppression rules for Azure Security Center alerts",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Suppress Azure Security Center alerts to reduce alerts fatigue by deploying suppression rules on your management group or subscription.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0"
    },
    "parameters": {
      "alertType": {
        "type": "String",
        "metadata": {
          "displayName": "Alert Type",
          "description": "Enter the alert type field of the alert you would like to suppress. Alert type could be queried via alerts api or PowerShell, learn more at https://aka.ms/asc-alertsPwoershell"
        }
      },
      "suppressionRuleName": {
        "type": "String",
        "metadata": {
          "displayName": "Rule name",
          "description": "Rule names must begin with a letter or a number, be between 2 and 50 characters, and contain no symbols other than dashes ( - ) or underscores ( _ )"
        }
      },
      "state": {
        "type": "String",
        "metadata": {
          "displayName": "State"
        },
        "allowedValues": [
          "Enabled",
          "Disabled"
        ],
        "defaultValue": "Enabled"
      },
      "reason": {
        "type": "String",
        "metadata": {
          "displayName": "Reason"
        },
        "allowedValues": [
          "The severity of the alert should be lower",
          "The alert detecting too many normal activities",
          "The alert is too noisy - hitting on the same resources too many times",
          "The resource isn't relevant for me to monitor",
          "The alert detecting normal activity on specific entity",
          "The alert isn't actionable - not clear how to investigate the threat",
          "Other"
        ]
      },
      "comment": {
        "type": "String",
        "metadata": {
          "displayName": "Comment"
        },
        "defaultValue": ""
      },
      "expirationDate": {
        "type": "DateTime",
        "metadata": {
          "displayName": "Expiration date"
        }
      },
      "entityOneType": {
        "type": "String",
        "metadata": {
          "displayName": "First entity type",
          "description": "To refine the suppression rules to suppress alerts only for specific entities, enter the type of the entity you would like to suppress. Only alerts containing all of the entities defined in the rule will be suppressed (alerts without entities will be suppressed entirely)."
        },
        "allowedValues": [
          "User account - name",
          "User account - AAD user ID",
          "User account - UPN suffix",
          "Azure resource ID",
          "File - name",
          "File - directory",
          "File hash",
          "Host - name",
          "Host - Azure ID",
          "Host - DNS Domain",
          "Host - OMS agent ID",
          "IP address",
          "Malware - name",
          "Malware - category",
          "Process - command line",
          ""
        ],
        "defaultValue": ""
      },
      "entityOneOp": {
        "type": "String",
        "metadata": {
          "displayName": "First entity operation"
        },
        "allowedValues": [
          "Equals",
          "Contains",
          ""
        ],
        "defaultValue": ""
      },
      "entityOneValue": {
        "type": "String",
        "metadata": {
          "displayName": "First entity value",
          "description": "The value of the entity. Only alerts containing all of the entities defined in the rule will be suppressed (alerts without entities will be suppressed entirely)."
        },
        "defaultValue": ""
      },
      "entitySecondType": {
        "type": "String",
        "metadata": {
          "displayName": "Second entity type",
          "description": "To refine the suppression rules to suppress alerts only for specific entities, enter the type of the entity you would like to suppress. Only alerts containing all of the entities defined in the rule will be suppressed (alerts without entities will be suppressed entirely)."
        },
        "allowedValues": [
          "User account - name",
          "User account - AAD user ID",
          "User account - UPN suffix",
          "Azure resource ID",
          "File - name",
          "File - directory",
          "File hash",
          "Host - name",
          "Host - Azure ID",
          "Host - DNS Domain",
          "Host - OMS agent ID",
          "IP address",
          "Malware - name",
          "Malware - category",
          "Process - command line",
          ""
        ],
        "defaultValue": ""
      },
      "entitySecondOp": {
        "type": "String",
        "metadata": {
          "displayName": "Second entity operation"
        },
        "allowedValues": [
          "Equals",
          "Contains",
          ""
        ],
        "defaultValue": ""
      },
      "entitySecondValue": {
        "type": "String",
        "metadata": {
          "displayName": "Second entity value",
          "description": "The value of the entity. Only alerts containing all of the entities defined in the rule will be suppressed (alerts without entities will be suppressed entirely)."
        },
        "defaultValue": ""
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Security/alertsSuppressionRules",
          "name": "[parameters('suppressionRuleName')]",
          "existenceScope": "subscription",
          "deploymentScope": "subscription",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ],
          "deployment": {
            "location": "centralus",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "alertType": {
                    "type": "String"
                  },
                  "suppressionRuleName": {
                    "type": "String"
                  },
                  "state": {
                    "type": "String"
                  },
                  "reason": {
                    "type": "String"
                  },
                  "comment": {
                    "type": "String"
                  },
                  "expirationDate": {
                    "type": "String"
                  },
                  "entityOneType": {
                    "type": "String"
                  },
                  "entityOneOp": {
                    "type": "String"
                  },
                  "entityOneValue": {
                    "type": "String"
                  },
                  "entitySecondType": {
                    "type": "String"
                  },
                  "entitySecondOp": {
                    "type": "String"
                  },
                  "entitySecondValue": {
                    "type": "String"
                  }
                },
                "variables": {
                  "reasonToEnum": {
                    "The severity of the alert should be lower": "AlertSeverityTooHigh",
                    "The alert detecting too many normal activities": "FalsePositive",
                    "The alert is too noisy - hitting on the same resources too many times": "Noise",
                    "The resource isn't relevant for me to monitor": "NotRelevant",
                    "The alert detecting normal activity on specific entity": "SpecificEntityFalsePositive",
                    "The alert isn't actionable - not clear how to investigate the threat": "Unclear",
                    "Other": "Other"
                  },
                  "entityNameToType": {
                    "User account - name": "entities.account.name",
                    "User account - AAD user ID": "entities.account.aaduserid",
                    "User account - UPN suffix": "entities.account.upnsuffix",
                    "Azure resource ID": "entities.azureresource.resourceid",
                    "File - name": "entities.file.name",
                    "File - directory": "entities.file.directory",
                    "File hash": "entities.filehash.value",
                    "Host - name": "entities.host.hostname",
                    "Host - Azure ID": "entities.host.azureid",
                    "Host - DNS Domain": "entities.host.dnsdomain",
                    "Host - OMS agent ID": "entities.host.omsagentid",
                    "IP address": "entities.ip.address",
                    "Malware - name": "entities.malware.name",
                    "Malware - category": "entities.malware.category",
                    "Process - command line: ": "entities.process.commandline"
                  },
                  "entityOperationNameToOperation": {
                    "Equals": "in",
                    "Contains": "contains"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.Security/alertsSuppressionRules",
                    "apiVersion": "2019-01-01-preview",
                    "name": "[parameters('suppressionRuleName')]",
                    "location": "centralus",
                    "properties": {
                      "alertType": "[parameters('alertType')]",
                      "state": "[parameters('state')]",
                      "reason": "[variables('reasonToEnum')[parameters('reason')]]",
                      "comment": "[parameters('comment')]",
                      "expirationDateUtc": "[parameters('expirationDate')]",
                      "suppressionAlertsScope": "[if(and(or(empty(parameters('entityOneType')), empty(parameters('entityOneOp')), empty(parameters('entityOneValue'))), or(empty(parameters('entitySecondType')), empty(parameters('entitySecondOp')), empty(parameters('entitySecondValue')))), null(), json(concat('{ \"allOf\": [', if(or(empty(parameters('entityOneType')), empty(parameters('entityOneOp')), empty(parameters('entityOneValue'))), '', concat(' { \"field\": \"', variables('entityNameToType')[parameters('entityOneType')], '\", \"', variables('entityOperationNameToOperation')[parameters('entityOneOp')], '\":', if(equals(parameters('entityOneOp'), 'Equals'), '[', ''), ' \"', parameters('entityOneValue'), '\"', if(equals(parameters('entityOneOp'), 'Equals'), ']', ''), ' }', if(or(empty(parameters('entitySecondType')), empty(parameters('entitySecondOp')), empty(parameters('entitySecondValue'))), '', ', '))), if(or(empty(parameters('entitySecondType')), empty(parameters('entitySecondOp')), empty(parameters('entitySecondValue'))), '', concat(' { \"field\": \"', variables('entityNameToType')[parameters('entitySecondType')], '\", \"', variables('entityOperationNameToOperation')[parameters('entitySecondOp')], '\":', if(equals(parameters('entitySecondOp'), 'Equals'), '[', ''), ' \"', parameters('entitySecondValue'), '\"', if(equals(parameters('entitySecondOp'), 'Equals'), ']', ''), ' } ')), '] }')))]"
                    }
                  }
                ]
              },
              "parameters": {
                "alertType": {
                  "value": "[parameters('alertType')]"
                },
                "suppressionRuleName": {
                  "value": "[parameters('suppressionRuleName')]"
                },
                "state": {
                  "value": "[parameters('state')]"
                },
                "reason": {
                  "value": "[parameters('reason')]"
                },
                "comment": {
                  "value": "[parameters('comment')]"
                },
                "expirationDate": {
                  "value": "[parameters('expirationDate')]"
                },
                "entityOneType": {
                  "value": "[parameters('entityOneType')]"
                },
                "entityOneOp": {
                  "value": "[parameters('entityOneOp')]"
                },
                "entityOneValue": {
                  "value": "[parameters('entityOneValue')]"
                },
                "entitySecondType": {
                  "value": "[parameters('entitySecondType')]"
                },
                "entitySecondOp": {
                  "value": "[parameters('entitySecondOp')]"
                },
                "entitySecondValue": {
                  "value": "[parameters('entitySecondValue')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/80e94a21-c6cd-4c95-a2c7-beb5704e61c0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "80e94a21-c6cd-4c95-a2c7-beb5704e61c0"
}
BuiltIn Security Center False False n/a n/a n/a false 0 n/a false 0 n/a 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "Deploy a default budget on subscriptions",
    "policyType": "Custom",
    "mode": "All",
    "description": "Depoloys a default budget on subscriptions.",
    "metadata": {
      "version": "1.0.0",
      "category": "Budget",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4777959Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "amount": {
        "type": "String",
        "metadata": {
          "description": "The total amount of cost or usage to track with the budget"
        },
        "defaultValue": "1000"
      },
      "timeGrain": {
        "type": "String",
        "metadata": {
          "description": "The time covered by a budget. Tracking of the amount will be reset based on the time grain."
        },
        "allowedValues": [
          "Monthly",
          "Quarterly",
          "Annually",
          "BillingMonth",
          "BillingQuarter",
          "BillingAnnual"
        ],
        "defaultValue": "Monthly"
      },
      "firstThreshold": {
        "type": "String",
        "metadata": {
          "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000."
        },
        "defaultValue": "90"
      },
      "secondThreshold": {
        "type": "String",
        "metadata": {
          "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000."
        },
        "defaultValue": "100"
      },
      "contactRoles": {
        "type": "Array",
        "metadata": {
          "description": "The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded."
        },
        "defaultValue": [
          "Owner",
          "Contributor"
        ]
      },
      "contactEmails": {
        "type": "Array",
        "metadata": {
          "description": "The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded."
        },
        "defaultValue": []
      },
      "contactGroups": {
        "type": "Array",
        "metadata": {
          "description": "The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings."
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "DeployIfNotExists",
        "details": {
          "type": "Microsoft.Consumption/budgets",
          "deploymentScope": "Subscription",
          "existenceScope": "Subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Consumption/budgets/amount",
                "equals": "[parameters('amount')]"
              },
              {
                "field": "Microsoft.Consumption/budgets/timeGrain",
                "equals": "[parameters('timeGrain')]"
              },
              {
                "field": "Microsoft.Consumption/budgets/category",
                "equals": "Cost"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "amount": {
                  "value": "[parameters('amount')]"
                },
                "timeGrain": {
                  "value": "[parameters('timeGrain')]"
                },
                "firstThreshold": {
                  "value": "[parameters('firstThreshold')]"
                },
                "secondThreshold": {
                  "value": "[parameters('secondThreshold')]"
                },
                "contactEmails": {
                  "value": "[parameters('contactEmails')]"
                },
                "contactRoles": {
                  "value": "[parameters('contactRoles')]"
                },
                "contactGroups": {
                  "value": "[parameters('contactGroups')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "amount": {
                    "type": "string"
                  },
                  "timeGrain": {
                    "type": "string"
                  },
                  "firstThreshold": {
                    "type": "string"
                  },
                  "secondThreshold": {
                    "type": "string"
                  },
                  "contactEmails": {
                    "type": "array"
                  },
                  "contactRoles": {
                    "type": "array"
                  },
                  "contactGroups": {
                    "type": "array"
                  },
                  "startDate": {
                    "type": "string",
                    "defaultValue": "[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.Consumption/budgets",
                    "apiVersion": "2019-10-01",
                    "name": "default-sandbox-budget",
                    "properties": {
                      "timePeriod": {
                        "startDate": "[parameters('startDate')]"
                      },
                      "timeGrain": "[parameters('timeGrain')]",
                      "amount": "[parameters('amount')]",
                      "category": "Cost",
                      "notifications": {
                        "NotificationForExceededBudget1": {
                          "enabled": true,
                          "operator": "GreaterThan",
                          "threshold": "[parameters('firstThreshold')]",
                          "contactEmails": "[parameters('contactEmails')]",
                          "contactRoles": "[parameters('contactRoles')]",
                          "contactGroups": "[parameters('contactGroups')]"
                        },
                        "NotificationForExceededBudget2": {
                          "enabled": true,
                          "operator": "GreaterThan",
                          "threshold": "[parameters('secondThreshold')]",
                          "contactEmails": "[parameters('contactEmails')]",
                          "contactRoles": "[parameters('contactRoles')]",
                          "contactGroups": "[parameters('contactGroups')]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Budget"
}
Custom Budget False False Mg ESJH (ESJH) n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy a flow log resource with target network security group",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "nsgRegion": {
        "type": "String",
        "metadata": {
          "displayName": "NSG Region",
          "description": "This Policy will review NSGs only in the selected region. You can create other assignments to include other regions.",
          "strongType": "location"
        }
      },
      "storageId": {
        "type": "String",
        "metadata": {
          "displayName": "Storage id",
          "description": "A string with the storage id for the flowlogs to be sent to. It will be used for deployment purposes only. Make sure this storage account is located in the same region as the NSG. The format must be: '/subscriptions/{subscription id}/resourceGroups/{resourceGroup name}/providers/Microsoft.Storage/storageAccounts/{storage account name}",
          "assignPermissions": "true"
        }
      },
      "networkWatcherRG": {
        "type": "String",
        "metadata": {
          "displayName": "Network Watchers RG",
          "description": "The name of the resource group where the flowLog resources will be created. This will be used only if a deployment is required. This is the resource group where the Network Watchers are located.",
          "strongType": "existingResourceGroups"
        }
      },
      "networkWatcherName": {
        "type": "String",
        "metadata": {
          "displayName": "Network Watcher name",
          "description": "The name of the network watcher under which the flowLog resources will be created. Make sure it belongs to the same region as the NSG."
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkSecurityGroups"
          },
          {
            "field": "location",
            "equals": "[parameters('nsgRegion')]"
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Network/networkWatchers/flowlogs",
          "resourceGroupName": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), parameters('networkWatcherRG'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]",
          "name": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Network/networkWatchers/flowLogs/enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Network/networkWatchers/flowLogs/storageId",
                "equals": "[parameters('storageId')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "storageId": {
                    "type": "String"
                  },
                  "networkWatcherRG": {
                    "type": "String"
                  },
                  "networkWatcherName": {
                    "type": "String"
                  },
                  "flowlogName": {
                    "type": "String"
                  },
                  "location": {
                    "type": "String"
                  },
                  "targetResource": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "name": "[concat('flowlogDeployment-', uniqueString(parameters('flowlogName')))]",
                    "apiVersion": "2019-10-01",
                    "resourceGroup": "[parameters('networkWatcherRG')]",
                    "properties": {
                      "mode": "incremental",
                      "parameters": {},
                      "template": {
                        "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "resources": [
                          {
                            "type": "Microsoft.Network/networkWatchers/flowLogs",
                            "name": "[concat(parameters('networkWatcherName'), '/', parameters('flowlogName'))]",
                            "apiVersion": "2019-11-01",
                            "location": "[parameters('location')]",
                            "properties": {
                              "targetResourceId": "[parameters('targetResource')]",
                              "storageId": "[parameters('storageId')]",
                              "enabled": "true",
                              "retentionPolicy": {
                                "days": "0",
                                "enabled": "false"
                              }
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "storageId": {
                  "value": "[parameters('storageId')]"
                },
                "networkWatcherRG": {
                  "value": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), parameters('networkWatcherRG'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]"
                },
                "networkWatcherName": {
                  "value": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), parameters('networkWatcherName'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8])]"
                },
                "flowlogName": {
                  "value": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), concat(field('name'), '-', resourceGroup().name, '-', 'flowlog'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10])]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "targetResource": {
                  "value": "[concat(resourceGroup().id, '/providers/Microsoft.Network/networkSecurityGroups/', field('name'))]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0db34a60-64f4-4bf6-bd44-f95c16cf34b9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0db34a60-64f4-4bf6-bd44-f95c16cf34b9"
}
BuiltIn Network False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Advanced Data Security on SQL servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix.",
    "metadata": {
      "version": "1.2.0",
      "category": "SQL"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers"
      },
      "then": {
        "effect": "DeployIfNotExists",
        "details": {
          "type": "Microsoft.Sql/servers/securityAlertPolicies",
          "name": "Default",
          "existenceCondition": {
            "field": "Microsoft.Sql/securityAlertPolicies.state",
            "equals": "Enabled"
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
            "/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "serverName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "serverResourceGroupName": "[resourceGroup().name]",
                  "subscriptionId": "[subscription().subscriptionId]",
                  "uniqueStorage": "[uniqueString(variables('subscriptionId'), variables('serverResourceGroupName'), parameters('location'))]",
                  "storageName": "[tolower(concat('sqlva', variables('uniqueStorage')))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Storage/storageAccounts",
                    "name": "[variables('storageName')]",
                    "apiVersion": "2019-04-01",
                    "location": "[parameters('location')]",
                    "sku": {
                      "name": "Standard_LRS"
                    },
                    "kind": "StorageV2",
                    "properties": {
                      "minimumTlsVersion": "TLS1_2",
                      "supportsHttpsTrafficOnly": "true",
                      "allowBlobPublicAccess": "false"
                    }
                  },
                  {
                    "name": "[concat(parameters('serverName'), '/Default')]",
                    "type": "Microsoft.Sql/servers/securityAlertPolicies",
                    "apiVersion": "2017-03-01-preview",
                    "properties": {
                      "state": "Enabled",
                      "emailAccountAdmins": true
                    }
                  },
                  {
                    "name": "[concat(parameters('serverName'), '/Default')]",
                    "type": "Microsoft.Sql/servers/vulnerabilityAssessments",
                    "apiVersion": "2018-06-01-preview",
                    "properties": {
                      "storageContainerPath": "[concat(reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))).primaryEndpoints.blob, 'vulnerability-assessment')]",
                      "storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2018-02-01').keys[0].value]",
                      "recurringScans": {
                        "isEnabled": true,
                        "emailSubscriptionAdmins": true,
                        "emails": []
                      }
                    },
                    "dependsOn": [
                      "[concat('Microsoft.Storage/storageAccounts/', variables('storageName'))]",
                      "[concat('Microsoft.Sql/servers/', parameters('serverName'), '/securityAlertPolicies/Default')]"
                    ]
                  }
                ]
              },
              "parameters": {
                "serverName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6134c3db-786f-471e-87bc-8f479dc890f6"
}
BuiltIn SQL False False n/a n/a n/a false 0 n/a false 0 n/a 'SQL Security Manager' (056cd41c-7e88-42e1-933e-88ba6a50c9c3), 'Storage Account Contributor' (17d1049b-9a84-46fb-8f53-869881c3d3ab)
{
  "properties": {
    "displayName": "Deploy Advanced Threat Protection for Cosmos DB Accounts",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy enables Advanced Threat Protection across Cosmos DB accounts.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DocumentDB/databaseAccounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/advancedThreatProtectionSettings",
          "name": "current",
          "existenceCondition": {
            "field": "Microsoft.Security/advancedThreatProtectionSettings/isEnabled",
            "equals": "true"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "cosmosDbAccountName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "apiVersion": "2019-01-01",
                    "type": "Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings",
                    "name": "[concat(parameters('cosmosDbAccountName'), '/Microsoft.Security/current')]",
                    "properties": {
                      "isEnabled": true
                    }
                  }
                ]
              },
              "parameters": {
                "cosmosDbAccountName": {
                  "value": "[field('name')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b5f04e03-92a3-4b09-9410-2cc5e5047656"
}
BuiltIn Cosmos DB False False n/a n/a DeployIfNotExists false 0 n/a true 1 [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "Deploy Advanced Threat Protection on storage accounts",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy enables Advanced Threat Protection on storage accounts.",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/advancedThreatProtectionSettings",
          "name": "current",
          "existenceCondition": {
            "field": "Microsoft.Security/advancedThreatProtectionSettings/isEnabled",
            "equals": "true"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "storageAccountName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "apiVersion": "2019-01-01",
                    "type": "Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings",
                    "name": "[concat(parameters('storageAccountName'), '/Microsoft.Security/current')]",
                    "properties": {
                      "isEnabled": true
                    }
                  }
                ]
              },
              "parameters": {
                "storageAccountName": {
                  "value": "[field('name')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "361c2074-3595-4e5d-8cab-4f21dffc835c"
}
BuiltIn Storage False False n/a n/a DeployIfNotExists false 0 n/a true 1 [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "Deploy an Azure DDoS Protection Standard plan",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys an Azure DDoS Protection Standard plan",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.6588825Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "ddosName": {
        "type": "String",
        "metadata": {
          "displayName": "ddosName",
          "description": "Name of the Virtual WAN"
        }
      },
      "ddosRegion": {
        "type": "String",
        "metadata": {
          "displayName": "ddosRegion",
          "description": "Select Azure region for Virtual WAN",
          "strongType": "location"
        }
      },
      "rgName": {
        "type": "String",
        "metadata": {
          "displayName": "rgName",
          "description": "Provide name for resource group."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/ddosProtectionPlans",
          "deploymentScope": "Subscription",
          "existenceScope": "ResourceGroup",
          "resourceGroupName": "[parameters('rgName')]",
          "name": "[parameters('ddosName')]",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "rgName": {
                  "value": "[parameters('rgName')]"
                },
                "ddosname": {
                  "value": "[parameters('ddosname')]"
                },
                "ddosregion": {
                  "value": "[parameters('ddosRegion')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "rgName": {
                    "type": "string"
                  },
                  "ddosname": {
                    "type": "string"
                  },
                  "ddosRegion": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2018-05-01",
                    "name": "[parameters('rgName')]",
                    "location": "[deployment().location]",
                    "properties": {}
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2018-05-01",
                    "name": "ddosprotection",
                    "resourceGroup": "[parameters('rgName')]",
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "resources": [
                          {
                            "type": "Microsoft.Network/ddosProtectionPlans",
                            "apiVersion": "2019-12-01",
                            "name": "[parameters('ddosName')]",
                            "location": "[parameters('ddosRegion')]",
                            "properties": {}
                          }
                        ],
                        "outputs": {}
                      }
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-DDoSProtection"
}
Custom Network False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Deploy associations for a custom provider",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types.",
    "metadata": {
      "version": "1.0.0",
      "category": "Custom Provider"
    },
    "parameters": {
      "targetCustomProviderId": {
        "type": "String",
        "metadata": {
          "displayName": "Custom provider ID",
          "description": "Resource ID of the Custom provider to which resources need to be associated."
        }
      },
      "resourceTypesToAssociate": {
        "type": "Array",
        "metadata": {
          "displayName": "Resource types to associate",
          "description": "The list of resource types to be associated to the custom provider.",
          "strongType": "resourceTypes"
        }
      },
      "associationNamePrefix": {
        "type": "String",
        "metadata": {
          "displayName": "Association name prefix",
          "description": "Prefix to be added to the name of the association resource being created."
        },
        "defaultValue": "DeployedByPolicy"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": "[parameters('resourceTypesToAssociate')]"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.CustomProviders/Associations",
          "name": "[concat(parameters('associationNamePrefix'), '-', uniqueString(parameters('targetCustomProviderId')))]",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "associatedResourceName": {
                    "type": "string"
                  },
                  "resourceTypesToAssociate": {
                    "type": "string"
                  },
                  "targetCustomProviderId": {
                    "type": "string"
                  },
                  "associationNamePrefix": {
                    "type": "string"
                  }
                },
                "variables": {
                  "resourceType": "[concat(parameters('resourceTypesToAssociate'), '/providers/associations')]",
                  "resourceName": "[concat(parameters('associatedResourceName'), '/microsoft.customproviders/', parameters('associationNamePrefix'), '-', uniqueString(parameters('targetCustomProviderId')))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2017-05-10",
                    "name": "[concat(deployment().Name, '-2')]",
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "resources": [
                          {
                            "type": "[variables('resourceType')]",
                            "name": "[variables('resourceName')]",
                            "apiVersion": "2018-09-01-preview",
                            "properties": {
                              "targetResourceId": "[parameters('targetCustomProviderId')]"
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "resourceTypesToAssociate": {
                  "value": "[field('type')]"
                },
                "associatedResourceName": {
                  "value": "[field('name')]"
                },
                "targetCustomProviderId": {
                  "value": "[parameters('targetCustomProviderId')]"
                },
                "associationNamePrefix": {
                  "value": "[parameters('associationNamePrefix')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c15c281f-ea5c-44cd-90b8-fc3c14d13f0c"
}
BuiltIn Custom Provider False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy associations for a managed application",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys an association resource that associates selected resource types to the specified managed application.  This policy deployment does not support nested resource types.",
    "metadata": {
      "version": "1.0.0",
      "category": "Managed Application"
    },
    "parameters": {
      "targetManagedApplicationId": {
        "type": "String",
        "metadata": {
          "displayName": "Managed application ID",
          "description": "Resource ID of the managed application to which resources need to be associated."
        }
      },
      "resourceTypesToAssociate": {
        "type": "Array",
        "metadata": {
          "displayName": "Resource types to associate",
          "description": "The list of resource types to be associated to the managed application.",
          "strongType": "resourceTypes"
        }
      },
      "associationNamePrefix": {
        "type": "String",
        "metadata": {
          "displayName": "Association name prefix",
          "description": "Prefix to be added to the name of the association resource being created."
        },
        "defaultValue": "DeployedByPolicy"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": "[parameters('resourceTypesToAssociate')]"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.CustomProviders/Associations",
          "name": "[concat(parameters('associationNamePrefix'), '-', uniqueString(parameters('targetManagedApplicationId')))]",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "associatedResourceName": {
                    "type": "string"
                  },
                  "resourceTypesToAssociate": {
                    "type": "string"
                  },
                  "targetManagedApplicationId": {
                    "type": "string"
                  },
                  "associationNamePrefix": {
                    "type": "string"
                  }
                },
                "variables": {
                  "resourceType": "[concat(parameters('resourceTypesToAssociate'), '/providers/associations')]",
                  "resourceName": "[concat(parameters('associatedResourceName'), '/microsoft.customproviders/', parameters('associationNamePrefix'), '-', uniqueString(parameters('targetManagedApplicationId')))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2017-05-10",
                    "name": "[concat(deployment().Name, '-2')]",
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "resources": [
                          {
                            "type": "[variables('resourceType')]",
                            "name": "[variables('resourceName')]",
                            "apiVersion": "2018-09-01-preview",
                            "properties": {
                              "targetResourceId": "[parameters('targetManagedApplicationId')]"
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "resourceTypesToAssociate": {
                  "value": "[field('type')]"
                },
                "associatedResourceName": {
                  "value": "[field('name')]"
                },
                "targetManagedApplicationId": {
                  "value": "[parameters('targetManagedApplicationId')]"
                },
                "associationNamePrefix": {
                  "value": "[parameters('associationNamePrefix')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/17763ad9-70c0-4794-9397-53d765932634",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "17763ad9-70c0-4794-9397-53d765932634"
}
BuiltIn Managed Application False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Azure Defender settings in Azure Security Center.",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys  the Azure Defender settings in Azure Security Center for  the specific services.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5472725Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "pricingTierVMs": {
        "type": "String",
        "metadata": {
          "displayName": "pricingTierVMs",
          "description": null
        },
        "allowedValues": [
          "Standard",
          "Free"
        ],
        "defaultValue": "Standard"
      },
      "pricingTierSqlServers": {
        "type": "String",
        "metadata": {
          "displayName": "pricingTierSqlServers",
          "description": null
        },
        "allowedValues": [
          "Standard",
          "Free"
        ],
        "defaultValue": "Standard"
      },
      "pricingTierAppServices": {
        "type": "String",
        "metadata": {
          "displayName": "pricingTierAppServices",
          "description": null
        },
        "allowedValues": [
          "Standard",
          "Free"
        ],
        "defaultValue": "Standard"
      },
      "pricingTierStorageAccounts": {
        "type": "String",
        "metadata": {
          "displayName": "pricingTierStorageAccounts",
          "description": null
        },
        "allowedValues": [
          "Standard",
          "Free"
        ],
        "defaultValue": "Standard"
      },
      "pricingTierContainerRegistry": {
        "type": "String",
        "metadata": {
          "displayName": "pricingTierContainerRegistry",
          "description": null
        },
        "allowedValues": [
          "Standard",
          "Free"
        ],
        "defaultValue": "Standard"
      },
      "pricingTierKeyVaults": {
        "type": "String",
        "metadata": {
          "displayName": "pricingTierKeyVaults",
          "description": null
        },
        "allowedValues": [
          "Standard",
          "Free"
        ],
        "defaultValue": "Standard"
      },
      "pricingTierKubernetesService": {
        "type": "String",
        "metadata": {
          "displayName": "pricingTierKubernetesService",
          "description": null
        },
        "allowedValues": [
          "Standard",
          "Free"
        ],
        "defaultValue": "Standard"
      },
      "pricingTierDns": {
        "type": "String",
        "metadata": {
          "displayName": "pricingTierDns",
          "description": null
        },
        "allowedValues": [
          "Standard",
          "Free"
        ],
        "defaultValue": "Standard"
      },
      "pricingTierArm": {
        "type": "String",
        "metadata": {
          "displayName": "pricingTierArm",
          "description": null
        },
        "allowedValues": [
          "Standard",
          "Free"
        ],
        "defaultValue": "Standard"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "deploymentScope": "subscription",
          "existenceScope": "subscription",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Security/pricings/pricingTier",
                "equals": "Standard"
              },
              {
                "field": "type",
                "equals": "Microsoft.Security/pricings"
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "pricingTierVMs": {
                  "value": "[parameters('pricingTierVMs')]"
                },
                "pricingTierSqlServers": {
                  "value": "[parameters('pricingTierSqlServers')]"
                },
                "pricingTierAppServices": {
                  "value": "[parameters('pricingTierAppServices')]"
                },
                "pricingTierStorageAccounts": {
                  "value": "[parameters('pricingTierStorageAccounts')]"
                },
                "pricingTierContainerRegistry": {
                  "value": "[parameters('pricingTierContainerRegistry')]"
                },
                "pricingTierKeyVaults": {
                  "value": "[parameters('pricingTierKeyVaults')]"
                },
                "pricingTierKubernetesService": {
                  "value": "[parameters('pricingTierKubernetesService')]"
                },
                "pricingTierDns": {
                  "value": "[parameters('pricingTierDns')]"
                },
                "pricingTierArm": {
                  "value": "[parameters('pricingTierArm')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "pricingTierVMs": {
                    "type": "string",
                    "metadata": {
                      "description": "pricingTierVMs"
                    }
                  },
                  "pricingTierSqlServers": {
                    "type": "string",
                    "metadata": {
                      "description": "pricingTierSqlServers"
                    }
                  },
                  "pricingTierAppServices": {
                    "type": "string",
                    "metadata": {
                      "description": "pricingTierAppServices"
                    }
                  },
                  "pricingTierStorageAccounts": {
                    "type": "string",
                    "metadata": {
                      "description": "pricingTierStorageAccounts"
                    }
                  },
                  "pricingTierContainerRegistry": {
                    "type": "string",
                    "metadata": {
                      "description": "ContainerRegistry"
                    }
                  },
                  "pricingTierKeyVaults": {
                    "type": "string",
                    "metadata": {
                      "description": "KeyVaults"
                    }
                  },
                  "pricingTierKubernetesService": {
                    "type": "string",
                    "metadata": {
                      "description": "KubernetesService"
                    }
                  },
                  "pricingTierDns": {
                    "type": "string",
                    "metadata": {
                      "description": "KubernetesService"
                    }
                  },
                  "pricingTierArm": {
                    "type": "string",
                    "metadata": {
                      "description": "KubernetesService"
                    }
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "VirtualMachines",
                    "properties": {
                      "pricingTier": "[parameters('pricingTierVMs')]"
                    }
                  },
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "StorageAccounts",
                    "dependsOn": [
                      "[concat('Microsoft.Security/pricings/VirtualMachines')]"
                    ],
                    "properties": {
                      "pricingTier": "[parameters('pricingTierStorageAccounts')]"
                    }
                  },
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "AppServices",
                    "dependsOn": [
                      "[concat('Microsoft.Security/pricings/StorageAccounts')]"
                    ],
                    "properties": {
                      "pricingTier": "[parameters('pricingTierAppServices')]"
                    }
                  },
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "SqlServers",
                    "dependsOn": [
                      "[concat('Microsoft.Security/pricings/AppServices')]"
                    ],
                    "properties": {
                      "pricingTier": "[parameters('pricingTierSqlServers')]"
                    }
                  },
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "KeyVaults",
                    "dependsOn": [
                      "[concat('Microsoft.Security/pricings/SqlServers')]"
                    ],
                    "properties": {
                      "pricingTier": "[parameters('pricingTierKeyVaults')]"
                    }
                  },
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "KubernetesService",
                    "dependsOn": [
                      "[concat('Microsoft.Security/pricings/KeyVaults')]"
                    ],
                    "properties": {
                      "pricingTier": "[parameters('pricingTierKubernetesService')]"
                    }
                  },
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "ContainerRegistry",
                    "dependsOn": [
                      "[concat('Microsoft.Security/pricings/KubernetesService')]"
                    ],
                    "properties": {
                      "pricingTier": "[parameters('pricingTierContainerRegistry')]"
                    }
                  },
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "Dns",
                    "dependsOn": [
                      "[concat('Microsoft.Security/pricings/ContainerRegistry')]"
                    ],
                    "properties": {
                      "pricingTier": "[parameters('pricingTierDns')]"
                    }
                  },
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "Arm",
                    "dependsOn": [
                      "[concat('Microsoft.Security/pricings/Dns')]"
                    ],
                    "properties": {
                      "pricingTier": "[parameters('pricingTierArm')]"
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-Standard",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-ASC-Standard"
}
Custom Security Center False False Mg ESJH (ESJH) DeployIfNotExists true 1 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy-ASC-Defender) false 0 n/a 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "Deploy Azure Firewall Manager policy in the subscription",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys Azure Firewall Manager policy in subscription where the policy is assigned.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.3971533Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "fwpolicy": {
        "type": "Object",
        "metadata": {
          "displayName": "fwpolicy",
          "description": "Object describing Azure Firewall Policy"
        },
        "defaultValue": {}
      },
      "fwPolicyRegion": {
        "type": "String",
        "metadata": {
          "displayName": "fwPolicyRegion",
          "description": "Select Azure region for Azure Firewall Policy",
          "strongType": "location"
        }
      },
      "rgName": {
        "type": "String",
        "metadata": {
          "displayName": "rgName",
          "description": "Provide name for resource group."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/firewallPolicies",
          "deploymentScope": "Subscription",
          "existenceScope": "ResourceGroup",
          "resourceGroupName": "[parameters('rgName')]",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "rgName": {
                  "value": "[parameters('rgName')]"
                },
                "fwPolicy": {
                  "value": "[parameters('fwPolicy')]"
                },
                "fwPolicyRegion": {
                  "value": "[parameters('fwPolicyRegion')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "rgName": {
                    "type": "string"
                  },
                  "fwPolicy": {
                    "type": "object"
                  },
                  "fwPolicyRegion": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2018-05-01",
                    "name": "[parameters('rgName')]",
                    "location": "[deployment().location]",
                    "properties": {}
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2018-05-01",
                    "name": "fwpolicies",
                    "resourceGroup": "[parameters('rgName')]",
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "type": "Microsoft.Network/firewallPolicies",
                            "apiVersion": "2019-09-01",
                            "name": "[parameters('fwpolicy').firewallPolicyName]",
                            "location": "[parameters('fwpolicy').location]",
                            "dependsOn": [],
                            "tags": {},
                            "properties": {},
                            "resources": [
                              {
                                "type": "ruleGroups",
                                "apiVersion": "2019-09-01",
                                "name": "[parameters('fwpolicy').ruleGroups.name]",
                                "dependsOn": [
                                  "[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]"
                                ],
                                "properties": {
                                  "priority": "[parameters('fwpolicy').ruleGroups.properties.priority]",
                                  "rules": "[parameters('fwpolicy').ruleGroups.properties.rules]"
                                }
                              }
                            ]
                          }
                        ],
                        "outputs": {}
                      }
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-FirewallPolicy"
}
Custom Network False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.",
    "metadata": {
      "version": "1.0.0",
      "category": "Kubernetes"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.ContainerService/managedClusters",
          "name": "[field('name')]",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8"
          ],
          "existenceCondition": {
            "field": "Microsoft.ContainerService/managedClusters/addonProfiles.azurePolicy.enabled",
            "equals": "true"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "clusterName": {
                    "type": "string"
                  },
                  "clusterResourceGroupName": {
                    "type": "string"
                  }
                },
                "variables": {
                  "clusterGetDeploymentName": "[concat('PolicyDeployment-Get-', parameters('clusterName'))]",
                  "clusterUpdateDeploymentName": "[concat('PolicyDeployment-Update-', parameters('clusterName'))]"
                },
                "resources": [
                  {
                    "apiVersion": "2020-06-01",
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('clusterGetDeploymentName')]",
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "resources": [],
                        "outputs": {
                          "aksCluster": {
                            "type": "object",
                            "value": "[reference(resourceId(parameters('clusterResourceGroupName'), 'Microsoft.ContainerService/managedClusters', parameters('clusterName')), '2020-04-01', 'Full')]"
                          }
                        }
                      }
                    }
                  },
                  {
                    "apiVersion": "2020-06-01",
                    "type": "Microsoft.Resources/deployments",
                    "name": "[variables('clusterUpdateDeploymentName')]",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "aksClusterName": {
                            "type": "string"
                          },
                          "aksClusterContent": {
                            "type": "object"
                          }
                        },
                        "resources": [
                          {
                            "apiVersion": "2020-04-01",
                            "type": "Microsoft.ContainerService/managedClusters",
                            "name": "[parameters('aksClusterName')]",
                            "location": "[parameters('aksClusterContent').location]",
                            "sku": "[parameters('aksClusterContent').sku]",
                            "tags": "[if(contains(parameters('aksClusterContent'), 'tags'), parameters('aksClusterContent').tags, json('null'))]",
                            "identity": "[if(contains(parameters('aksClusterContent'), 'identity'), parameters('aksClusterContent').identity, json('null'))]",
                            "properties": {
                              "kubernetesVersion": "[parameters('aksClusterContent').properties.kubernetesVersion]",
                              "dnsPrefix": "[parameters('aksClusterContent').properties.dnsPrefix]",
                              "agentPoolProfiles": "[if(contains(parameters('aksClusterContent').properties, 'agentPoolProfiles'), parameters('aksClusterContent').properties.agentPoolProfiles, json('null'))]",
                              "linuxProfile": "[if(contains(parameters('aksClusterContent').properties, 'linuxProfile'), parameters('aksClusterContent').properties.linuxProfile, json('null'))]",
                              "windowsProfile": "[if(contains(parameters('aksClusterContent').properties, 'windowsProfile'), parameters('aksClusterContent').properties.windowsProfile, json('null'))]",
                              "servicePrincipalProfile": "[if(contains(parameters('aksClusterContent').properties, 'servicePrincipalProfile'), parameters('aksClusterContent').properties.servicePrincipalProfile, json('null'))]",
                              "addonProfiles": {
                                "azurepolicy": {
                                  "enabled": true
                                }
                              },
                              "nodeResourceGroup": "[parameters('aksClusterContent').properties.nodeResourceGroup]",
                              "enableRBAC": "[if(contains(parameters('aksClusterContent').properties, 'enableRBAC'), parameters('aksClusterContent').properties.enableRBAC, json('null'))]",
                              "enablePodSecurityPolicy": "[if(contains(parameters('aksClusterContent').properties, 'enablePodSecurityPolicy'), parameters('aksClusterContent').properties.enablePodSecurityPolicy, json('null'))]",
                              "networkProfile": "[if(contains(parameters('aksClusterContent').properties, 'networkProfile'), parameters('aksClusterContent').properties.networkProfile, json('null'))]",
                              "aadProfile": "[if(contains(parameters('aksClusterContent').properties, 'aadProfile'), parameters('aksClusterContent').properties.aadProfile, json('null'))]",
                              "autoScalerProfile": "[if(contains(parameters('aksClusterContent').properties, 'autoScalerProfile'), parameters('aksClusterContent').properties.autoScalerProfile, json('null'))]",
                              "apiServerAccessProfile": "[if(contains(parameters('aksClusterContent').properties, 'apiServerAccessProfile'), parameters('aksClusterContent').properties.apiServerAccessProfile, json('null'))]",
                              "diskEncryptionSetID": "[if(contains(parameters('aksClusterContent').properties, 'diskEncryptionSetID'), parameters('aksClusterContent').properties.diskEncryptionSetID, json('null'))]",
                              "identityProfile": "[if(contains(parameters('aksClusterContent').properties, 'identityProfile'), parameters('aksClusterContent').properties.identityProfile, json('null'))]"
                            }
                          }
                        ],
                        "outputs": {}
                      },
                      "parameters": {
                        "aksClusterName": {
                          "value": "[parameters('clusterName')]"
                        },
                        "aksClusterContent": {
                          "value": "[reference(variables('clusterGetDeploymentName')).outputs.aksCluster.value]"
                        }
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "clusterName": {
                  "value": "[field('name')]"
                },
                "clusterResourceGroupName": {
                  "value": "[resourceGroup().name]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a8eff44f-8c92-45c3-a3fb-9880802d67a7"
}
BuiltIn Kubernetes False False n/a n/a n/a true 1 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-aks-policy (Deploy-AKS-Policy) false 0 n/a 'Azure Kubernetes Service Contributor Role' (ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8)
{
  "properties": {
    "displayName": "Deploy default Microsoft IaaSAntimalware extension for Windows Server",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension.",
    "metadata": {
      "version": "1.0.0",
      "category": "Compute"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/imagePublisher",
            "equals": "MicrosoftWindowsServer"
          },
          {
            "field": "Microsoft.Compute/imageOffer",
            "equals": "WindowsServer"
          },
          {
            "field": "Microsoft.Compute/imageSKU",
            "in": [
              "2008-R2-SP1",
              "2008-R2-SP1-smalldisk",
              "2012-Datacenter",
              "2012-Datacenter-smalldisk",
              "2012-R2-Datacenter",
              "2012-R2-Datacenter-smalldisk",
              "2016-Datacenter",
              "2016-Datacenter-Server-Core",
              "2016-Datacenter-Server-Core-smalldisk",
              "2016-Datacenter-smalldisk",
              "2016-Datacenter-with-Containers",
              "2016-Datacenter-with-RDSH",
              "2019-Datacenter",
              "2019-Datacenter-Core",
              "2019-Datacenter-Core-smalldisk",
              "2019-Datacenter-Core-with-Containers",
              "2019-Datacenter-Core-with-Containers-smalldisk",
              "2019-Datacenter-smalldisk",
              "2019-Datacenter-with-Containers",
              "2019-Datacenter-with-Containers-smalldisk"
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "IaaSAntimalware"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Security"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "ExclusionsPaths": {
                    "type": "string",
                    "defaultValue": "",
                    "metadata": {
                      "description": "Semicolon delimited list of file paths or locations to exclude from scanning"
                    }
                  },
                  "ExclusionsExtensions": {
                    "type": "string",
                    "defaultValue": "",
                    "metadata": {
                      "description": "Semicolon delimited list of file extensions to exclude from scanning"
                    }
                  },
                  "ExclusionsProcesses": {
                    "type": "string",
                    "defaultValue": "",
                    "metadata": {
                      "description": "Semicolon delimited list of process names to exclude from scanning"
                    }
                  },
                  "RealtimeProtectionEnabled": {
                    "type": "string",
                    "defaultValue": "true",
                    "metadata": {
                      "description": "Indicates whether or not real time protection is enabled (default is true)"
                    }
                  },
                  "ScheduledScanSettingsIsEnabled": {
                    "type": "string",
                    "defaultValue": "false",
                    "metadata": {
                      "description": "Indicates whether or not custom scheduled scan settings are enabled (default is false)"
                    }
                  },
                  "ScheduledScanSettingsScanType": {
                    "type": "string",
                    "defaultValue": "Quick",
                    "metadata": {
                      "description": "Indicates whether scheduled scan setting type is set to Quick or Full (default is Quick)"
                    }
                  },
                  "ScheduledScanSettingsDay": {
                    "type": "string",
                    "defaultValue": "7",
                    "metadata": {
                      "description": "Day of the week for scheduled scan (1-Sunday, 2-Monday, ..., 7-Saturday)"
                    }
                  },
                  "ScheduledScanSettingsTime": {
                    "type": "string",
                    "defaultValue": "120",
                    "metadata": {
                      "description": "When to perform the scheduled scan, measured in minutes from midnight (0-1440). For example: 0 = 12AM, 60 = 1AM, 120 = 2AM."
                    }
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('vmName'),'/IaaSAntimalware')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "apiVersion": "2017-12-01",
                    "properties": {
                      "publisher": "Microsoft.Azure.Security",
                      "type": "IaaSAntimalware",
                      "typeHandlerVersion": "1.3",
                      "autoUpgradeMinorVersion": true,
                      "settings": {
                        "AntimalwareEnabled": true,
                        "RealtimeProtectionEnabled": "[parameters('RealtimeProtectionEnabled')]",
                        "ScheduledScanSettings": {
                          "isEnabled": "[parameters('ScheduledScanSettingsIsEnabled')]",
                          "day": "[parameters('ScheduledScanSettingsDay')]",
                          "time": "[parameters('ScheduledScanSettingsTime')]",
                          "scanType": "[parameters('ScheduledScanSettingsScanType')]"
                        },
                        "Exclusions": {
                          "Extensions": "[parameters('ExclusionsExtensions')]",
                          "Paths": "[parameters('ExclusionsPaths')]",
                          "Processes": "[parameters('ExclusionsProcesses')]"
                        }
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "RealtimeProtectionEnabled": {
                  "value": "true"
                },
                "ScheduledScanSettingsIsEnabled": {
                  "value": "true"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2835b622-407b-4114-9198-6f7064cbe0dc"
}
BuiltIn Compute False False n/a n/a n/a false 0 n/a true 2 [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "Deploy Dependency agent for Linux virtual machine scale sets",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances.",
    "metadata": {
      "version": "1.3.0",
      "category": "Monitoring"
    },
    "parameters": {
      "listOfImageIdToInclude": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of VM images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachineScaleSets"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imageId",
                "in": "[parameters('listOfImageIdToInclude')]"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "in": [
                          "14.04.0-LTS",
                          "14.04.1-LTS",
                          "14.04.5-LTS"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "in": [
                          "16.04-LTS",
                          "16.04.0-LTS"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "in": [
                          "18.04-LTS"
                        ]
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "SLES",
                      "SLES-HPC",
                      "SLES-HPC-Priority",
                      "SLES-SAP",
                      "SLES-SAP-BYOS",
                      "SLES-Priority",
                      "SLES-BYOS",
                      "SLES-SAPCAL",
                      "SLES-Standard"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "in": [
                          "12-SP2",
                          "12-SP3",
                          "12-SP4"
                        ]
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "CentOS",
                      "Centos-LVM",
                      "CentOS-SRIOV"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "like": "7*"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type",
                "equals": "DependencyAgentLinux"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher",
                "equals": "Microsoft.Azure.Monitoring.DependencyAgent"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vmExtensionName": "DependencyAgentLinux",
                  "vmExtensionPublisher": "Microsoft.Azure.Monitoring.DependencyAgent",
                  "vmExtensionType": "DependencyAgentLinux",
                  "vmExtensionTypeHandlerVersion": "9.7"
                },
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
                    "name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
                    "apiVersion": "2018-06-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "[variables('vmExtensionPublisher')]",
                      "type": "[variables('vmExtensionType')]",
                      "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]",
                      "autoUpgradeMinorVersion": true
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled extension for: ', parameters('vmName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "765266ab-e40e-4c61-bcb2-5a5275d0b7c0"
}
BuiltIn Monitoring False False n/a n/a n/a false 0 n/a true 1 Enable Azure Monitor for Virtual Machine Scale Sets (/providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad) 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "Deploy Dependency agent for Linux virtual machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed.",
    "metadata": {
      "version": "1.3.0",
      "category": "Monitoring"
    },
    "parameters": {
      "listOfImageIdToInclude": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of VM images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imageId",
                "in": "[parameters('listOfImageIdToInclude')]"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "in": [
                          "14.04.0-LTS",
                          "14.04.1-LTS",
                          "14.04.5-LTS"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "in": [
                          "16.04-LTS",
                          "16.04.0-LTS"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "in": [
                          "18.04-LTS"
                        ]
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "SLES",
                      "SLES-HPC",
                      "SLES-HPC-Priority",
                      "SLES-SAP",
                      "SLES-SAP-BYOS",
                      "SLES-Priority",
                      "SLES-BYOS",
                      "SLES-SAPCAL",
                      "SLES-Standard"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "in": [
                          "12-SP2",
                          "12-SP3",
                          "12-SP4"
                        ]
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "CentOS",
                      "Centos-LVM",
                      "CentOS-SRIOV"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "like": "7*"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "DependencyAgentLinux"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Monitoring.DependencyAgent"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vmExtensionName": "DependencyAgentLinux",
                  "vmExtensionPublisher": "Microsoft.Azure.Monitoring.DependencyAgent",
                  "vmExtensionType": "DependencyAgentLinux",
                  "vmExtensionTypeHandlerVersion": "9.6"
                },
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
                    "apiVersion": "2018-06-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "[variables('vmExtensionPublisher')]",
                      "type": "[variables('vmExtensionType')]",
                      "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]",
                      "autoUpgradeMinorVersion": true
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled extension for VM', ': ', parameters('vmName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4da21710-ce6f-4e06-8cdb-5cc4c93ffbee"
}
BuiltIn Monitoring False False n/a n/a n/a false 0 n/a true 1 Enable Azure Monitor for VMs (/providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a) 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Activity Log to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Activity Log to stream to a Log Analytics workspace when any Activity Log which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with category enabled.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.6402081Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Primary Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "deploymentScope": "Subscription",
          "existenceScope": "Subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "logAnalytics": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "name": "subscriptionToLa",
                    "type": "Microsoft.Insights/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "location": "Global",
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "logs": [
                        {
                          "category": "Administrative",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Security",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "ServiceHealth",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Alert",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Recommendation",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Policy",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Autoscale",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "ResourceHealth",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ActivityLog",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-ActivityLog"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists true 1 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy-AzActivity-Log) false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:37.7843307Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.AnalysisServices/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.AnalysisServices/servers/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "Engine",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Service",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-AnalysisService"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for API Management to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.474291Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ApiManagement/service"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.ApiManagement/service/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "Gateway Requests",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        },
                        {
                          "category": "Capacity",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        },
                        {
                          "category": "EventHub Events",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        },
                        {
                          "category": "Network Status",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "GatewayLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-APIMgmt"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4694696Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Web/serverfarms"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Web/serverfarms/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": []
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-WebServerFarm"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for App Service to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4710459Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "value": "[field('kind')]",
            "notContains": "functionapp"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Web/sites/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "AppServiceAntivirusScanAuditLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AppServiceHTTPLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AppServiceConsoleLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AppServiceHTTPLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AppServiceAppLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AppServiceFileAuditLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AppServiceAuditLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AppServiceIPSecAuditLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AppServicePlatformLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-Website"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.7398799Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/applicationGateways"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Network/applicationGateways/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "ApplicationGatewayAccessLog",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "ApplicationGatewayPerformanceLog",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "ApplicationGatewayFirewallLog",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-ApplicationGateway"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Automation to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.1308417Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Automation/automationAccounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Automation/automationAccounts/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "timeGrain": null,
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "JobLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "JobStreams",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "DscNodeStatus",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-AA"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4941318Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DataLakeStore/accounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.DataLakeStore/accounts/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "Audit",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Requests",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataLakeStore",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-DataLakeStore"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5054179Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "value": "[field('kind')]",
            "notEquals": "app"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Web/sites/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "FunctionAppLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-Function"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Azure SQL Database to Event Hub",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "1.2.0",
      "category": "SQL"
    },
    "parameters": {
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "eventHubRuleId": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Authorization Rule Id",
          "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}",
          "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules",
          "assignPermissions": true
        }
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Event Hub - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Event Hub  - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers/databases"
      },
      "then": {
        "effect": "DeployIfNotExists",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "fullName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "eventHubRuleId": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.Sql/servers/databases/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('fullName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "QueryStoreRuntimeStatistics",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "QueryStoreWaitStatistics",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Errors",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "DatabaseWaitStatistics",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Blocks",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "SQLInsights",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "SQLSecurityAuditEvents",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Timeouts",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AutomaticTuning",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Deadlocks",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "DevOpsOperationsAudit",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled diagnostic settings for ', parameters('fullName'))]"
                  }
                }
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "fullName": {
                  "value": "[field('fullName')]"
                },
                "eventHubRuleId": {
                  "value": "[parameters('eventHubRuleId')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9a7c7a7d-49e5-4213-bea8-6a502b6272e0"
}
BuiltIn SQL False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Batch Account to Event Hub",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_eventHub"
      },
      "eventHubRuleId": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Authorization Rule Id",
          "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}",
          "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules",
          "assignPermissions": true
        }
      },
      "eventHubLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Location",
          "description": "The location the Event Hub resides in. Only Batch Accounts in this location will be linked to this Event Hub.",
          "strongType": "location"
        },
        "defaultValue": ""
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Event Hub - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Event Hub  - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Batch/batchAccounts"
          },
          {
            "anyOf": [
              {
                "value": "[parameters('eventHubLocation')]",
                "equals": ""
              },
              {
                "field": "location",
                "equals": "[parameters('eventHubLocation')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "eventHubRuleId": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Batch/batchAccounts/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "ServiceLog",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "eventHubRuleId": {
                  "value": "[parameters('eventHubRuleId')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/db51110f-0865-4a6e-b274-e2e07a5b2cd7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "db51110f-0865-4a6e-b274-e2e07a5b2cd7"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Batch Account to Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_logAnalytics"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Batch/batchAccounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Batch/batchAccounts/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "ServiceLog",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c84e5349-db6d-4769-805e-e14037dab9b5"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Batch to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5031507Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Batch/batchAccounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Batch/batchAccounts/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "ServiceLog",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Batch",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-Batch"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4860295Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Cdn/profiles/endpoints"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [],
                      "logs": [
                        {
                          "category": "CoreAnalytics",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('fullName')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-CDNEndpoints"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5078731Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.CognitiveServices/accounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.CognitiveServices/accounts/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "Audit",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "RequestResponse",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Trace",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-CognitiveServices"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics enabled.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5001774Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerInstance/containerGroups"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": []
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-ACI"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics  enabled.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4946313Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerRegistry/registries"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.ContainerRegistry/registries/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "ContainerRegistryLoginEvents",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "ContainerRegistryRepositoryEvents",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-ACR"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5196791Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DocumentDB/databaseAccounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "Requests",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "DataPlaneRequests",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "MongoRequests",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "QueryRuntimeStatistics",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "PartitionKeyStatistics",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "PartitionKeyRUConsumption",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "ControlPlaneRequests",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "CassandraRequests",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "GremlinRequests",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-CosmosDB"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.506043Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DataFactory/factories"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.DataFactory/factories/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "ActivityRuns",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "PipelineRuns",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "TriggerRuns",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "SSISPackageEventMessages",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "SSISPackageExecutableStatistics",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "SSISPackageEventMessageContext",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "SSISPackageExecutionComponentPhases",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "SSISPackageExecutionDataStatistics",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "SSISIntegrationRuntimeLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-DataFactory"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Event Hub",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_eventHub"
      },
      "eventHubRuleId": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Authorization Rule Id",
          "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}",
          "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules",
          "assignPermissions": true
        }
      },
      "eventHubLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Location",
          "description": "The location the Event Hub resides in. Only Data Lake Analytics in this location will be linked to this Event Hub.",
          "strongType": "location"
        },
        "defaultValue": ""
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Event Hub - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Event Hub  - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DataLakeAnalytics/accounts"
          },
          {
            "anyOf": [
              {
                "value": "[parameters('eventHubLocation')]",
                "equals": ""
              },
              {
                "field": "location",
                "equals": "[parameters('eventHubLocation')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "eventHubRuleId": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "Audit",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Requests",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "eventHubRuleId": {
                  "value": "[parameters('eventHubRuleId')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4daddf25-4823-43d4-88eb-2419eb6dcc08",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4daddf25-4823-43d4-88eb-2419eb6dcc08"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_logAnalytics"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DataLakeAnalytics/accounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "Audit",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Requests",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5323155Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DataLakeAnalytics/accounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "Audit",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Requests",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-DLAnalytics"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_eventHub"
      },
      "eventHubRuleId": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Authorization Rule Id",
          "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}",
          "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules",
          "assignPermissions": true
        }
      },
      "eventHubLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Location",
          "description": "The location the Event Hub resides in. Only Data Lake Storage in this location will be linked to this Event Hub.",
          "strongType": "location"
        },
        "defaultValue": ""
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Event Hub - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Event Hub  - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DataLakeStore/accounts"
          },
          {
            "anyOf": [
              {
                "value": "[parameters('eventHubLocation')]",
                "equals": ""
              },
              {
                "field": "location",
                "equals": "[parameters('eventHubLocation')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "eventHubRuleId": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.DataLakeStore/accounts/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "Audit",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Requests",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "eventHubRuleId": {
                  "value": "[parameters('eventHubRuleId')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e8d096bc-85de-4c5f-8cfb-857bd1b9d62d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e8d096bc-85de-4c5f-8cfb-857bd1b9d62d"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_logAnalytics"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DataLakeStore/accounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.DataLakeStore/accounts/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "Audit",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Requests",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/25763a0a-5783-4f14-969e-79d4933eb74b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "25763a0a-5783-4f14-969e-79d4933eb74b"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5329365Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforMySQL/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.DBforMySQL/servers/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "MySqlSlowLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "MySqlAuditLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-MySQL"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.425534Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforPostgreSQL/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "PostgreSQLLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "QueryStoreRuntimeStatistics",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "QueryStoreWaitStatistics",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-PostgreSQL"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.539725Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Databricks/workspaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Databricks/workspaces/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "logs": [
                        {
                          "category": "dbfs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "clusters",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "accounts",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "jobs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "notebook",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "ssh",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "workspace",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "secrets",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "sqlPermissions",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "instancePools",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-Databricks"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5589935Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.EventGrid/eventSubscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": []
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-EventGridSub"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5598921Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.EventGrid/systemTopics"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.EventGrid/systemTopics/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "DeliveryFailures",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-EventGridSystemTopic"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4975041Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.EventGrid/topics"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.EventGrid/topics/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "DeliveryFailures",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "PublishFailures",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-EventGridTopic"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Event Hub to Event Hub",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "2.1.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_eventHub"
      },
      "eventHubRuleId": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Authorization Rule Id",
          "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}",
          "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules",
          "assignPermissions": true
        }
      },
      "eventHubLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Destination Location",
          "description": "The location the Event Hub that will get diagnostic data resides in. Only source Event Hubs in this location will be linked to this destination Event Hub.",
          "strongType": "location"
        },
        "defaultValue": ""
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Event Hub - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Event Hub  - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.EventHub/namespaces"
          },
          {
            "anyOf": [
              {
                "value": "[parameters('eventHubLocation')]",
                "equals": ""
              },
              {
                "field": "location",
                "equals": "[parameters('eventHubLocation')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "eventHubRuleId": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.EventHub/namespaces/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "ArchiveLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "OperationalLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AutoScaleLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "KafkaCoordinatorLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "KafkaUserErrorLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "EventHubVNetConnectionEvent",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "CustomerManagedKeyUserLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "eventHubRuleId": {
                  "value": "[parameters('eventHubRuleId')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ef7b61ef-b8e4-4c91-8e78-6946c6b0023f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ef7b61ef-b8e4-4c91-8e78-6946c6b0023f"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Event Hub to Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "1.1.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_logAnalytics"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.EventHub/namespaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.EventHub/namespaces/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "ArchiveLogs",
                          "enabled": true,
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        },
                        {
                          "category": "OperationalLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AutoScaleLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "KafkaCoordinatorLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "KafkaUserErrorLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "EventHubVNetConnectionEvent",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "CustomerManagedKeyUserLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1f6e93e8-6b31-41b1-83f6-36e449a42579"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:37.839052Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.EventHub/namespaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.EventHub/namespaces/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "ArchiveLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "OperationalLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AutoScaleLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "KafkaCoordinatorLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "KafkaUserErrorLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "EventHubVNetConnectionEvent",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "CustomerManagedKeyUserLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventHub",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-EventHub"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.590183Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/expressRouteCircuits"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "PeeringRouteLog",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-ExpressRoute"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4702368Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/azureFirewalls"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Network/azureFirewalls/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "AzureFirewallApplicationRule",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AzureFirewallNetworkRule",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AzureFirewallDnsProxy",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-Firewall"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4707789Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/frontDoors"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Network/frontDoors/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "FrontdoorAccessLog",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "FrontdoorWebApplicationFirewallLog",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-FrontDoor"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4748877Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.HDInsight/clusters"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.HDInsight/clusters/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": []
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-HDInsight"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5030074Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Devices/IotHubs"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Devices/IotHubs/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "Connections",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "DeviceTelemetry",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "C2DCommands",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "DeviceIdentityOperations",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "FileUploadOperations",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Routes",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "D2CTwinOperations",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "C2DTwinOperations",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "TwinQueries",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "JobsOperations",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "DirectMethods",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "DistributedTracing",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Configurations",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "DeviceStreams",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-iotHub"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Key Vault to Event Hub",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "2.0.0",
      "category": "Key Vault"
    },
    "parameters": {
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "eventHubRuleId": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Authorization Rule Id",
          "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}",
          "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules",
          "assignPermissions": true
        }
      },
      "eventHubLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Location",
          "description": "The location the Event Hub resides in. Only Key Vaults in this location will be linked to this Event Hub.",
          "strongType": "location"
        },
        "defaultValue": ""
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Event Hub - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Event Hub  - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "anyOf": [
              {
                "value": "[parameters('eventHubLocation')]",
                "equals": ""
              },
              {
                "field": "location",
                "equals": "[parameters('eventHubLocation')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vaultName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "eventHubRuleId": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.KeyVault/vaults/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('vaultName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "AuditEvent",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled diagnostic settings for ', parameters('vaultName'))]"
                  }
                }
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "vaultName": {
                  "value": "[field('name')]"
                },
                "eventHubRuleId": {
                  "value": "[parameters('eventHubRuleId')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ed7c8c13-51e7-49d1-8a43-8490431a0da2"
}
BuiltIn Key Vault False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Key Vault to Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_logAnalytics"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.KeyVault/vaults"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.KeyVault/vaults/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "AuditEvent",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bef3f64c-5290-43b7-85b0-9b254eef4c47"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Key Vault to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4863409Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.KeyVault/vaults"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "name": "setByPolicy",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.KeyVault/vaults/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "AuditEvent",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-KeyVault",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-KeyVault"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:37.7897371Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.ContainerService/managedClusters/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "kube-audit",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "kube-apiserver",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "kube-controller-manager",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "kube-scheduler",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "cluster-autoscaler",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "guard",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "kube-audit-admin",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AKS",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-AKS"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.501068Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/loadBalancers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Network/loadBalancers/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "timeGrain": null,
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "LoadBalancerAlertEvent",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "LoadBalancerProbeHealthStatus",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-LoadBalancer"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.6996608Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Logic/integrationAccounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Logic/integrationAccounts/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [],
                      "logs": [
                        {
                          "category": "IntegrationAccountTrackingEvents",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-LogicAppsISE"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Logic Apps to Event Hub",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_eventHub"
      },
      "eventHubRuleId": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Authorization Rule Id",
          "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}",
          "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules",
          "assignPermissions": true
        }
      },
      "eventHubLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Location",
          "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.",
          "strongType": "location"
        },
        "defaultValue": ""
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Event Hub - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Event Hub  - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Logic/workflows"
          },
          {
            "anyOf": [
              {
                "value": "[parameters('eventHubLocation')]",
                "equals": ""
              },
              {
                "field": "location",
                "equals": "[parameters('eventHubLocation')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "eventHubRuleId": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Logic/workflows/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "WorkflowRuntime",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "eventHubRuleId": {
                  "value": "[parameters('eventHubRuleId')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a1dae6c7-13f3-48ea-a149-ff8442661f60",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a1dae6c7-13f3-48ea-a149-ff8442661f60"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_logAnalytics"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Logic/workflows"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Logic/workflows/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "WorkflowRuntime",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b889a06c-ec72-4b03-910a-cb169ee18721"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Logic Apps Workflow runtime to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Logic Apps Workflow runtimeto stream to a Log Analytics workspace when any Logic Apps Workflow runtime which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5078255Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Logic/workflows"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Logic/workflows/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "WorkflowRuntime",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsWF",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-LogicAppsWF"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.3442864Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.MachineLearningServices/workspaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "Run",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        },
                        {
                          "category": "Model",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": true
                          }
                        },
                        {
                          "category": "Quota",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        },
                        {
                          "category": "Resource",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "AmlComputeClusterEvent",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AmlComputeClusterNodeEvent",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AmlComputeJobEvent",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AmlComputeCpuGpuUtilization",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AmlRunStatusChangedEvent",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-MlWorkspace"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.6588825Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforMariaDB/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.DBforMariaDB/servers/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "MySqlSlowLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "MySqlAuditLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-MariaDB"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5350219Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/networkInterfaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Network/networkInterfaces/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "timeGrain": null,
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-NIC"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Network Security Groups",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "storagePrefix": {
        "type": "String",
        "metadata": {
          "displayName": "Storage Account Prefix for Regional Storage Account",
          "description": "This prefix will be combined with the network security group location to form the created storage account name."
        }
      },
      "rgName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Name for Storage Account (must exist)",
          "description": "The resource group that the storage account will be created in. This resource group must already exist.",
          "strongType": "ExistingResourceGroups"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/networkSecurityGroups"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setbypolicy",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "location": {
                    "type": "string"
                  },
                  "storagePrefix": {
                    "type": "string"
                  },
                  "nsgName": {
                    "type": "string"
                  },
                  "rgName": {
                    "type": "string"
                  }
                },
                "variables": {
                  "storageDeployName": "[concat('policyStorage_', uniqueString(parameters('location'), parameters('nsgName')))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings",
                    "name": "[concat(parameters('nsgName'),'/Microsoft.Insights/setbypolicy')]",
                    "apiVersion": "2017-05-01-preview",
                    "location": "[parameters('location')]",
                    "dependsOn": [
                      "[variables('storageDeployName')]"
                    ],
                    "properties": {
                      "storageAccountId": "[reference(variables('storageDeployName')).outputs.storageAccountId.value]",
                      "logs": [
                        {
                          "category": "NetworkSecurityGroupEvent",
                          "enabled": true,
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        },
                        {
                          "category": "NetworkSecurityGroupRuleCounter",
                          "enabled": true,
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ]
                    }
                  },
                  {
                    "apiVersion": "2017-05-10",
                    "name": "[variables('storageDeployName')]",
                    "type": "Microsoft.Resources/deployments",
                    "resourceGroup": "[parameters('rgName')]",
                    "properties": {
                      "mode": "incremental",
                      "parameters": {
                        "location": {
                          "value": "[parameters('location')]"
                        },
                        "storagePrefix": {
                          "value": "[parameters('storagePrefix')]"
                        }
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "location": {
                            "type": "string"
                          },
                          "storagePrefix": {
                            "type": "string"
                          }
                        },
                        "resources": [
                          {
                            "apiVersion": "2017-06-01",
                            "type": "Microsoft.Storage/storageAccounts",
                            "name": "[concat(parameters('storageprefix'), parameters('location'))]",
                            "sku": {
                              "name": "Standard_LRS",
                              "tier": "Standard"
                            },
                            "kind": "Storage",
                            "location": "[parameters('location')]",
                            "tags": {
                              "created-by": "policy"
                            },
                            "scale": null,
                            "properties": {
                              "networkAcls": {
                                "bypass": "AzureServices",
                                "defaultAction": "Allow",
                                "ipRules": [],
                                "virtualNetworkRules": []
                              },
                              "supportsHttpsTrafficOnly": true
                            }
                          }
                        ],
                        "outputs": {
                          "storageAccountId": {
                            "type": "string",
                            "value": "[resourceId(parameters('rgName'), 'Microsoft.Storage/storageAccounts',concat(parameters('storagePrefix'), parameters('location')))]"
                          }
                        }
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "storagePrefix": {
                  "value": "[parameters('storagePrefix')]"
                },
                "rgName": {
                  "value": "[parameters('rgName')]"
                },
                "nsgName": {
                  "value": "[field('name')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c9c29499-c1d1-4195-99bd-2ec9e3a9dc89"
}
BuiltIn Monitoring False False n/a n/a n/a false 0 n/a true 2 [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Storage Account Contributor' (17d1049b-9a84-46fb-8f53-869881c3d3ab)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4942927Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/networkSecurityGroups"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [],
                      "logs": [
                        {
                          "category": "NetworkSecurityGroupEvent",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "NetworkSecurityGroupRuleCounter",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-NetworkSecurityGroups"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5055081Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.PowerBIDedicated/capacities"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "Engine",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-PowerBIEmbedded"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5019142Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/publicIPAddresses"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "timeGrain": null,
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "DDoSProtectionNotifications",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "DDoSMitigationFlowLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "DDoSMitigationReports",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PublicIP",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-PublicIP"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories.",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created.",
    "metadata": {
      "version": "1.0.2",
      "category": "Backup"
    },
    "parameters": {
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_logAnalytics"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Exclusion Tag Name",
          "description": "Name of the tag to use for excluding vaults from this policy. This should be used along with the Exclusion Tag Value parameter."
        },
        "defaultValue": ""
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Exclusion Tag Value",
          "description": "Value of the tag to use for excluding vaults from this policy. This should be used along with the Exclusion Tag Name parameter."
        },
        "defaultValue": ""
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "Microsoft.RecoveryServices/vaults"
          },
          {
            "not": {
              "field": "[concat('tags[',parameters('tagName'), ']')]",
              "equals": "[parameters('tagValue')]"
            }
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "allof": [
              {
                "count": {
                  "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
                  "where": {
                    "allof": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].Category",
                        "in": [
                          "CoreAzureBackup",
                          "AddonAzureBackupJobs",
                          "AddonAzureBackupAlerts",
                          "AddonAzureBackupPolicy",
                          "AddonAzureBackupStorage",
                          "AddonAzureBackupProtectedInstance"
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].Enabled",
                        "equals": "True"
                      }
                    ]
                  }
                },
                "Equals": 6
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "notEquals": ""
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType",
                "equals": "Dedicated"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vaultName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.RecoveryServices/vaults/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('vaultName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "logAnalyticsDestinationType": "Dedicated",
                      "metrics": [],
                      "logs": [
                        {
                          "category": "CoreAzureBackup",
                          "enabled": "true"
                        },
                        {
                          "category": "AddonAzureBackupAlerts",
                          "enabled": "true"
                        },
                        {
                          "category": "AddonAzureBackupJobs",
                          "enabled": "true"
                        },
                        {
                          "category": "AddonAzureBackupPolicy",
                          "enabled": "true"
                        },
                        {
                          "category": "AddonAzureBackupProtectedInstance",
                          "enabled": "true"
                        },
                        {
                          "category": "AddonAzureBackupStorage",
                          "enabled": "true"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat(parameters('logAnalytics'), 'configured for resource logs for ', ': ', parameters('vaultName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
                  }
                }
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "vaultName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c717fb0c-d118-4c43-ab3d-ece30ac81fb3"
}
BuiltIn Backup False False n/a n/a n/a false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Recovery Services vaults to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Recovery Services vaults to stream to a Log Analytics workspace when any Recovery Services vaults which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5205102Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.RecoveryServices/vaults"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allof": [
              {
                "count": {
                  "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
                  "where": {
                    "allof": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].Category",
                        "in": [
                          "CoreAzureBackup",
                          "AddonAzureBackupJobs",
                          "AddonAzureBackupAlerts",
                          "AddonAzureBackupPolicy",
                          "AddonAzureBackupStorage",
                          "AddonAzureBackupProtectedInstance",
                          "AzureBackupReport"
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].Enabled",
                        "equals": "True"
                      }
                    ]
                  }
                },
                "Equals": 7
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType",
                "equals": "Dedicated"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.RecoveryServices/vaults/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "logAnalyticsDestinationType": "Dedicated",
                      "metrics": [],
                      "logs": [
                        {
                          "category": "CoreAzureBackup",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AddonAzureBackupAlerts",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AddonAzureBackupJobs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AddonAzureBackupPolicy",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AddonAzureBackupProtectedInstance",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AddonAzureBackupStorage",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AzureBackupReport",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RecoveryVault",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-RecoveryVault"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:37.909672Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Cache/redis"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Cache/redis/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": []
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-RedisCache"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Relay to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5406453Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Relay/namespaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Relay/namespaces/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "HybridConnectionsEvent",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-Relay"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Search Services to Event Hub",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_eventHub"
      },
      "eventHubRuleId": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Authorization Rule Id",
          "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}",
          "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules",
          "assignPermissions": true
        }
      },
      "eventHubLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Location",
          "description": "The location the Event Hub resides in. Only Search Services in this location will be linked to this Event Hub.",
          "strongType": "location"
        },
        "defaultValue": ""
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Event Hub - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Event Hub  - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Search/searchServices"
          },
          {
            "anyOf": [
              {
                "value": "[parameters('eventHubLocation')]",
                "equals": ""
              },
              {
                "field": "location",
                "equals": "[parameters('eventHubLocation')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "eventHubRuleId": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Search/searchServices/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "OperationLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "eventHubRuleId": {
                  "value": "[parameters('eventHubRuleId')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3d5da587-71bd-41f5-ac95-dd3330c2d58d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3d5da587-71bd-41f5-ac95-dd3330c2d58d"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Search Services to Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_logAnalytics"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Search/searchServices"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Search/searchServices/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "OperationLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "08ba64b8-738f-4918-9686-730d2ed79c7d"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Search Services to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4772725Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Search/searchServices"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Search/searchServices/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "OperationLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SearchServices",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-SearchServices"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.3295991Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ServiceBus/namespaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.ServiceBus/namespaces/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "OperationalLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ServiceBus",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-ServiceBus"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Service Bus to Event Hub",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_eventHub"
      },
      "eventHubRuleId": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Authorization Rule Id",
          "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}",
          "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules",
          "assignPermissions": true
        }
      },
      "eventHubLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Location",
          "description": "The location the Event Hub resides in. Only Service Bus in this location will be linked to this Event Hub.",
          "strongType": "location"
        },
        "defaultValue": ""
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Event Hub - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Event Hub  - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ServiceBus/namespaces"
          },
          {
            "anyOf": [
              {
                "value": "[parameters('eventHubLocation')]",
                "equals": ""
              },
              {
                "field": "location",
                "equals": "[parameters('eventHubLocation')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "eventHubRuleId": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.ServiceBus/namespaces/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "OperationalLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "eventHubRuleId": {
                  "value": "[parameters('eventHubRuleId')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6b51af03-9277-49a9-a3f8-1c69c9ff7403",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6b51af03-9277-49a9-a3f8-1c69c9ff7403"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Service Bus to Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_logAnalytics"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ServiceBus/namespaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.ServiceBus/namespaces/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "OperationalLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "04d53d87-841c-4f23-8a5b-21564380b55e"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.3400149Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.SignalRService/SignalR"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.SignalRService/SignalR/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "AllLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-SignalR"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5003655Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers/databases"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Sql/servers/databases/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "SQLInsights",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "AutomaticTuning",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "DevOpsOperationsAudit",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "QueryStoreRuntimeStatistics",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "QueryStoreWaitStatistics",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Errors",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "DatabaseWaitStatistics",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Timeouts",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Blocks",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Deadlocks",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "SQLSecurityAuditEvents",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('fullName')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLDBs",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-SQLDBs"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5194649Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers/elasticPools"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": []
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('fullName')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-SQLElasticPools"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5105366Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/managedInstances"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Sql/managedInstances/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "logs": [
                        {
                          "category": "ResourceUsageStats",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "SQLSecurityAuditEvents",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "DevOpsOperationsAudit",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-SQLMI"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Stream Analytics to Event Hub",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_eventHub"
      },
      "eventHubRuleId": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Authorization Rule Id",
          "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}",
          "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules",
          "assignPermissions": true
        }
      },
      "eventHubLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Location",
          "description": "The location the Event Hub resides in. Only Stream Analytics in this location will be linked to this Event Hub.",
          "strongType": "location"
        },
        "defaultValue": ""
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Event Hub - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Event Hub  - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.StreamAnalytics/streamingjobs"
          },
          {
            "anyOf": [
              {
                "value": "[parameters('eventHubLocation')]",
                "equals": ""
              },
              {
                "field": "location",
                "equals": "[parameters('eventHubLocation')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "eventHubRuleId": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "Execution",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Authoring",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "eventHubRuleId": {
                  "value": "[parameters('eventHubRuleId')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/edf3780c-3d70-40fe-b17e-ab72013dafca",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "edf3780c-3d70-40fe-b17e-ab72013dafca"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_logAnalytics"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.StreamAnalytics/streamingjobs"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "Execution",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Authoring",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "237e0f7e-b0e8-4ec4-ad46-8c12cb66d673"
}
BuiltIn Monitoring False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5000485Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.StreamAnalytics/streamingjobs"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "Execution",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Authoring",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-StreamAnalytics",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-StreamAnalytics"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:37.8011403Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.TimeSeriesInsights/environments"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "Ingress",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "Management",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-TimeSeriesInsights"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5208939Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/trafficManagerProfiles"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "ProbeHealthStatusEvents",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-TrafficManager"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5009151Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachineScaleSets"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": []
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-VMSS"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.0994966Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachines/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": []
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-VM"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.7794633Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/virtualNetworks"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "VMProtectionAlerts",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-VirtualNetwork"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.3345103Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/virtualNetworkGateways"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "setByPolicy",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "days": 0,
                            "enabled": false
                          },
                          "timeGrain": null
                        }
                      ],
                      "logs": [
                        {
                          "category": "GatewayDiagnosticLog",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "IKEDiagnosticLog",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "P2SDiagnosticLog",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "RouteDiagnosticLog",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "RouteDiagnosticLog",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "TunnelDiagnosticLog",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Diagnostics-VNetGW"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics) 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy DNS  Zone Group for Key Vault Private Endpoint",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the configurations of a Private DNS Zone Group by a parameter for Key Vault Private Endpoint. Used enforce the configuration to a single Private DNS Zone. ",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.584639Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "privateDnsZoneId",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "vault"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "keyVault-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint"
}
Custom Network False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a false 0 n/a 'Private DNS Zone Contributor' (b12aa53e-6015-4669-85d0-8515ebb3ae7f)
{
  "properties": {
    "displayName": "Deploy DNS  Zone Group for SQL Private Endpoint",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the configurations of a Private DNS Zone Group by a parameter for SQL Private Private Endpoint. Used enforce the configuration to a single Private DNS Zone. ",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5408129Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "privateDnsZoneId",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "sqlServer"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "sqlServer-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint"
}
Custom Network False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a false 0 n/a 'Private DNS Zone Contributor' (b12aa53e-6015-4669-85d0-8515ebb3ae7f)
{
  "properties": {
    "displayName": "Deploy DNS  Zone Group for Storage-Blob Private Endpoint",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-Blob Private Endpoint. Used enforce the configuration to a single Private DNS Zone. ",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5347224Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "privateDnsZoneId",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "table"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "storageTable-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-DNSZoneGroup-For-Table-PrivateEndpoint",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-DNSZoneGroup-For-Table-PrivateEndpoint"
}
Custom Network False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a false 0 n/a 'Private DNS Zone Contributor' (b12aa53e-6015-4669-85d0-8515ebb3ae7f)
{
  "properties": {
    "displayName": "Deploy DNS  Zone Group for Storage-File Private Endpoint",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-File Private Endpoint. Used enforce the configuration to a single Private DNS Zone. ",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.401062Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "privateDnsZoneId",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "file"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "storageFile-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-DNSZoneGroup-For-File-PrivateEndpoint",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-DNSZoneGroup-For-File-PrivateEndpoint"
}
Custom Network False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a false 0 n/a 'Private DNS Zone Contributor' (b12aa53e-6015-4669-85d0-8515ebb3ae7f)
{
  "properties": {
    "displayName": "Deploy DNS  Zone Group for Storage-Queue Private Endpoint",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-Queue Private Endpoint. Used enforce the configuration to a single Private DNS Zone. ",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.6688851Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "privateDnsZoneId",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "queue"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "storageQueue-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint"
}
Custom Network False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a false 0 n/a 'Private DNS Zone Contributor' (b12aa53e-6015-4669-85d0-8515ebb3ae7f)
{
  "properties": {
    "displayName": "Deploy DNS Zone Group for Storage-Blob Private Endpoint",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-Blob Private Endpoint. Used enforce the configuration to a single Private DNS Zone. ",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5480105Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
          "displayName": "privateDnsZoneId",
          "strongType": "Microsoft.Network/privateDnsZones"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
              "where": {
                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                "equals": "blob"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "storageBlob-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId": {
                  "value": "[parameters('privateDnsZoneId')]"
                },
                "privateEndpointName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint"
}
Custom Network False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a false 0 n/a 'Private DNS Zone Contributor' (b12aa53e-6015-4669-85d0-8515ebb3ae7f)
{
  "properties": {
    "displayName": "Deploy export to Event Hub for Azure Security Center data",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Enable export to Event Hub of Azure Security Center data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.",
    "metadata": {
      "version": "4.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "resourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group name",
          "description": "The resource group name where the export to Event Hub configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Event Hub configured."
        }
      },
      "resourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group location",
          "description": "The location where the resource group and the export to Event Hub configuration are created.",
          "strongType": "location"
        }
      },
      "createResourceGroup": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Create resource group",
          "description": "If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group."
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": true
      },
      "exportedDataTypes": {
        "type": "Array",
        "metadata": {
          "displayName": "Exported data types",
          "description": "The data types to be exported. To export a snapshot (preview) of the data once a week, choose the data types which contains 'snapshot', other data types will be sent in real-time streaming."
        },
        "allowedValues": [
          "Security recommendations",
          "Security alerts",
          "Overall secure score",
          "Secure score controls",
          "Regulatory compliance",
          "Overall secure score - snapshot",
          "Secure score controls - snapshot",
          "Regulatory compliance - snapshot"
        ],
        "defaultValue": [
          "Security recommendations",
          "Security alerts",
          "Overall secure score",
          "Secure score controls",
          "Regulatory compliance",
          "Overall secure score - snapshot",
          "Secure score controls - snapshot",
          "Regulatory compliance - snapshot"
        ]
      },
      "recommendationNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Recommendation IDs",
          "description": "Applicable only for export of security recommendations. To export all recommendations, leave this empty. To export specific recommendations, enter a list of recommendation IDs separated by semicolons (';'). Recommendation IDs are available through the Assessments API (https://docs.microsoft.com/rest/api/securitycenter/assessments), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/assessments."
        },
        "defaultValue": []
      },
      "recommendationSeverities": {
        "type": "Array",
        "metadata": {
          "displayName": "Recommendation severities",
          "description": "Applicable only for export of security recommendations. Determines recommendation severities. Example: High;Medium;Low;"
        },
        "allowedValues": [
          "High",
          "Medium",
          "Low"
        ],
        "defaultValue": [
          "High",
          "Medium",
          "Low"
        ]
      },
      "isSecurityFindingsEnabled": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Include security findings",
          "description": "Security findings are results from vulnerability assessment solutions, and can be thought of as 'sub' recommendations grouped into a 'parent' recommendation."
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": true
      },
      "secureScoreControlsNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Secure Score Controls IDs",
          "description": "Applicable only for export of secure score controls. To export all secure score controls, leave this empty. To export specific secure score controls, enter a list of secure score controls IDs separated by semicolons (';'). Secure score controls IDs are available through the Secure score controls API (https://docs.microsoft.com/rest/api/securitycenter/securescorecontrols), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/securescores/securescorecontrols."
        },
        "defaultValue": []
      },
      "alertSeverities": {
        "type": "Array",
        "metadata": {
          "displayName": "Alert severities",
          "description": "Applicable only for export of security alerts. Determines alert severities. Example: High;Medium;Low;"
        },
        "allowedValues": [
          "High",
          "Medium",
          "Low"
        ],
        "defaultValue": [
          "High",
          "Medium",
          "Low"
        ]
      },
      "regulatoryComplianceStandardsNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Regulatory compliance standards names",
          "description": "Applicable only for export of regulatory compliance. To export all regulatory compliance, leave this empty. To export specific regulatory compliance standards, enter a list of these standards names separated by semicolons (';'). Regulatory compliance standards names are available through the regulatory compliance standards API (https://docs.microsoft.com/rest/api/securitycenter/regulatorycompliancestandards), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/regulatorycompliancestandards."
        },
        "defaultValue": []
      },
      "eventHubDetails": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub details",
          "description": "The Event Hub details of where the data should be exported to: Subscription, Event Hub Namespace, Event Hub, and Authorizations rules with 'Send' claim.",
          "strongType": "Microsoft.EventHub/namespaces/eventhubs/authorizationrules",
          "assignPermissions": true
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Security/automations",
          "name": "exportToEventHub",
          "existenceScope": "resourcegroup",
          "ResourceGroupName": "[parameters('resourceGroupName')]",
          "deploymentScope": "subscription",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Security/automations/isEnabled",
                "equals": true
              },
              {
                "count": {
                  "field": "Microsoft.Security/automations/sources[*]"
                },
                "equals": "[if(parameters('isSecurityFindingsEnabled'),add(length(parameters('exportedDataTypes')),1),length(parameters('exportedDataTypes')))]"
              },
              {
                "count": {
                  "value": "[parameters('exportedDataTypes')]",
                  "name": "dataType",
                  "where": {
                    "count": {
                      "field": "Microsoft.Security/automations/sources[*]",
                      "where": {
                        "anyOf": [
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "Assessments"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Security recommendations"
                              }
                            ]
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "Alerts"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Security alerts"
                              }
                            ]
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "SecureScores"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Overall secure score"
                              }
                            ]
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "SecureScoreControls"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Secure score controls"
                              }
                            ]
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "RegulatoryComplianceAssessment"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Regulatory compliance"
                              }
                            ]
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "SecureScoresSnapshot"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Overall secure score - snapshot"
                              }
                            ]
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "SecureScoreControlsSnapshot"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Secure score controls - snapshot"
                              }
                            ]
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "RegulatoryComplianceAssessmentSnapshot"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Regulatory compliance - snapshot"
                              }
                            ]
                          }
                        ]
                      }
                    },
                    "equals": 1
                  }
                },
                "equals": "[length(parameters('exportedDataTypes'))]"
              }
            ]
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceGroupName": {
                    "type": "string"
                  },
                  "resourceGroupLocation": {
                    "type": "string"
                  },
                  "createResourceGroup": {
                    "type": "bool"
                  },
                  "exportedDataTypes": {
                    "type": "array"
                  },
                  "isSecurityFindingsEnabled": {
                    "type": "bool"
                  },
                  "recommendationNames": {
                    "type": "array"
                  },
                  "secureScoreControlsNames": {
                    "type": "array"
                  },
                  "regulatoryComplianceStandardsNames": {
                    "type": "array"
                  },
                  "recommendationSeverities": {
                    "type": "array"
                  },
                  "alertSeverities": {
                    "type": "array"
                  },
                  "eventHubDetails": {
                    "type": "string"
                  },
                  "guidValue": {
                    "type": "string",
                    "defaultValue": "[newGuid()]"
                  }
                },
                "variables": {
                  "scopeDescription": "scope for subscription {0}",
                  "subAssessmentRuleExpectedValue": "/assessments/{0}/",
                  "recommendationNamesLength": "[length(parameters('recommendationNames'))]",
                  "secureScoreControlsNamesLength": "[length(parameters('secureScoreControlsNames'))]",
                  "secureScoreControlsLengthIfEmpty": "[if(equals(variables('secureScoreControlsNamesLength'), 0), 1, variables('secureScoreControlsNamesLength'))]",
                  "regulatoryComplianceStandardsNamesLength": "[length(parameters('regulatoryComplianceStandardsNames'))]",
                  "regulatoryComplianceStandardsNamesLengthIfEmpty": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), 1, variables('regulatoryComplianceStandardsNamesLength'))]",
                  "recommendationSeveritiesLength": "[length(parameters('recommendationSeverities'))]",
                  "alertSeveritiesLength": "[length(parameters('alertSeverities'))]",
                  "recommendationNamesLengthIfEmpty": "[if(equals(variables('recommendationNamesLength'), 0), 1, variables('recommendationNamesLength'))]",
                  "recommendationSeveritiesLengthIfEmpty": "[if(equals(variables('recommendationSeveritiesLength'), 0), 1, variables('recommendationSeveritiesLength'))]",
                  "alertSeveritiesLengthIfEmpty": "[if(equals(variables('alertSeveritiesLength'), 0), 1, variables('alertSeveritiesLength'))]",
                  "totalRuleCombinationsForOneRecommendationName": "[variables('recommendationSeveritiesLengthIfEmpty')]",
                  "totalRuleCombinationsForOneRecommendationSeverity": 1,
                  "exportedDataTypesLength": "[length(parameters('exportedDataTypes'))]",
                  "exportedDataTypesLengthIfEmpty": "[if(equals(variables('exportedDataTypesLength'), 0), 1, variables('exportedDataTypesLength'))]",
                  "SeperatedEventHubDetails": "[split(parameters('eventHubDetails'),'/')]",
                  "dataTypeMap": {
                    "Security recommendations": "Assessments",
                    "Security alerts": "Alerts",
                    "Overall secure score": "SecureScores",
                    "Secure score controls": "SecureScoreControls",
                    "Regulatory compliance": "RegulatoryComplianceAssessment",
                    "Overall secure score - snapshot": "SecureScoresSnapshot",
                    "Secure score controls - snapshot": "SecureScoreControlsSnapshot",
                    "Regulatory compliance - snapshot": "RegulatoryComplianceAssessmentSnapshot"
                  },
                  "alertSeverityMap": {
                    "High": "high",
                    "Medium": "medium",
                    "Low": "low"
                  },
                  "ruleSetsForAssessmentsObj": {
                    "copy": [
                      {
                        "name": "ruleSetsForAssessmentsArr",
                        "count": "[mul(variables('recommendationNamesLengthIfEmpty'),variables('recommendationSeveritiesLengthIfEmpty'))]",
                        "input": {
                          "rules": [
                            {
                              "propertyJPath": "[if(equals(variables('recommendationNamesLength'),0),'type','name')]",
                              "propertyType": "string",
                              "expectedValue": "[if(equals(variables('recommendationNamesLength'),0),'Microsoft.Security/assessments',parameters('recommendationNames')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationName')),variables('recommendationNamesLength'))])]",
                              "operator": "Contains"
                            },
                            {
                              "propertyJPath": "properties.metadata.severity",
                              "propertyType": "string",
                              "expectedValue": "[parameters('recommendationSeverities')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationSeverity')),variables('recommendationSeveritiesLength'))]]",
                              "operator": "Equals"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "customRuleSetsForSubAssessmentsObj": {
                    "copy": [
                      {
                        "name": "ruleSetsForSubAssessmentsArr",
                        "count": "[variables('recommendationNamesLengthIfEmpty')]",
                        "input": {
                          "rules": [
                            {
                              "propertyJPath": "id",
                              "propertyType": "string",
                              "expectedValue": "[if(equals(variables('recommendationNamesLength'), 0), json('null'), replace(variables('subAssessmentRuleExpectedValue'),'{0}', parameters('recommendationNames')[copyIndex('ruleSetsForSubAssessmentsArr')]))]",
                              "operator": "Contains"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "ruleSetsForAlertsObj": {
                    "copy": [
                      {
                        "name": "ruleSetsForAlertsArr",
                        "count": "[variables('alertSeveritiesLengthIfEmpty')]",
                        "input": {
                          "rules": [
                            {
                              "propertyJPath": "Severity",
                              "propertyType": "string",
                              "expectedValue": "[variables('alertSeverityMap')[parameters('alertSeverities')[mod(copyIndex('ruleSetsForAlertsArr'),variables('alertSeveritiesLengthIfEmpty'))]]]",
                              "operator": "Equals"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "customRuleSetsForSecureScoreControlsObj": {
                    "copy": [
                      {
                        "name": "ruleSetsForSecureScoreControlsArr",
                        "count": "[variables('secureScoreControlsLengthIfEmpty')]",
                        "input": {
                          "rules": [
                            {
                              "propertyJPath": "name",
                              "propertyType": "string",
                              "expectedValue": "[if(equals(variables('secureScoreControlsNamesLength'), 0), json('null'), parameters('secureScoreControlsNames')[copyIndex('ruleSetsForSecureScoreControlsArr')])]",
                              "operator": "Equals"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "customRuleSetsForRegulatoryComplianceObj": {
                    "copy": [
                      {
                        "name": "ruleSetsForRegulatoryCompliancArr",
                        "count": "[variables('regulatoryComplianceStandardsNamesLengthIfEmpty')]",
                        "input": {
                          "rules": [
                            {
                              "propertyJPath": "id",
                              "propertyType": "string",
                              "expectedValue": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), json('null'), parameters('regulatoryComplianceStandardsNames')[copyIndex('ruleSetsForRegulatoryCompliancArr')])]",
                              "operator": "Contains"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "ruleSetsForSecureScoreControlsObj": "[if(equals(variables('secureScoreControlsNamesLength'), 0), json('null'), variables('customRuleSetsForSecureScoreControlsObj').ruleSetsForSecureScoreControlsArr)]",
                  "ruleSetsForSecureRegulatoryComplianceObj": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), json('null'), variables('customRuleSetsForRegulatoryComplianceObj').ruleSetsForRegulatoryCompliancArr)]",
                  "ruleSetsForSubAssessmentsObj": "[if(equals(variables('recommendationNamesLength'), 0), json('null'), variables('customRuleSetsForSubAssessmentsObj').ruleSetsForSubAssessmentsArr)]",
                  "subAssessmentSource": [
                    {
                      "eventSource": "SubAssessments",
                      "ruleSets": "[variables('ruleSetsForSubAssessmentsObj')]"
                    }
                  ],
                  "ruleSetsMap": {
                    "Security recommendations": "[variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr]",
                    "Security alerts": "[variables('ruleSetsForAlertsObj').ruleSetsForAlertsArr]",
                    "Overall secure score": null,
                    "Secure score controls": "[variables('ruleSetsForSecureScoreControlsObj')]",
                    "Regulatory compliance": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]",
                    "Overall secure score - snapshot": null,
                    "Secure score controls - snapshot": "[variables('ruleSetsForSecureScoreControlsObj')]",
                    "Regulatory compliance - snapshot": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]"
                  },
                  "sourcesWithoutSubAssessments": {
                    "copy": [
                      {
                        "name": "sources",
                        "count": "[variables('exportedDataTypesLengthIfEmpty')]",
                        "input": {
                          "eventSource": "[variables('dataTypeMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]",
                          "ruleSets": "[variables('ruleSetsMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]"
                        }
                      }
                    ]
                  },
                  "sourcesWithSubAssessments": "[concat(variables('subAssessmentSource'),variables('sourcesWithoutSubAssessments').sources)]",
                  "sources": "[if(equals(parameters('isSecurityFindingsEnabled'),bool('true')),variables('sourcesWithSubAssessments'),variables('sourcesWithoutSubAssessments').sources)]"
                },
                "resources": [
                  {
                    "condition": "[parameters('createResourceGroup')]",
                    "name": "[parameters('resourceGroupName')]",
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2019-10-01",
                    "location": "[parameters('resourceGroupLocation')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "[concat('nestedAutomationDeployment', '_', parameters('guidValue'))]",
                    "resourceGroup": "[parameters('resourceGroupName')]",
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "tags": {},
                            "apiVersion": "2019-01-01-preview",
                            "location": "[parameters('resourceGroupLocation')]",
                            "name": "exportToEventHub",
                            "type": "Microsoft.Security/automations",
                            "dependsOn": [],
                            "properties": {
                              "description": "Export Azure Security Center data to Event Hub via policy",
                              "isEnabled": true,
                              "scopes": [
                                {
                                  "description": "[replace(variables('scopeDescription'),'{0}', subscription().subscriptionId)]",
                                  "scopePath": "[subscription().id]"
                                }
                              ],
                              "sources": "[variables('sources')]",
                              "actions": [
                                {
                                  "actionType": "EventHub",
                                  "eventHubResourceId": "[concat('/', variables('SeperatedEventHubDetails')[1], '/', variables('SeperatedEventHubDetails')[2], '/', variables('SeperatedEventHubDetails')[3], '/', variables('SeperatedEventHubDetails')[4], '/', variables('SeperatedEventHubDetails')[5], '/', variables('SeperatedEventHubDetails')[6], '/', variables('SeperatedEventHubDetails')[7], '/', variables('SeperatedEventHubDetails')[8], '/', variables('SeperatedEventHubDetails')[9], '/', variables('SeperatedEventHubDetails')[10])]",
                                  "connectionString": "[listkeys(parameters('eventHubDetails'),'2017-04-01').primaryConnectionString]"
                                }
                              ]
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "resourceGroupName": {
                  "value": "[parameters('resourceGroupName')]"
                },
                "resourceGroupLocation": {
                  "value": "[parameters('resourceGroupLocation')]"
                },
                "createResourceGroup": {
                  "value": "[parameters('createResourceGroup')]"
                },
                "exportedDataTypes": {
                  "value": "[parameters('exportedDataTypes')]"
                },
                "recommendationNames": {
                  "value": "[parameters('recommendationNames')]"
                },
                "isSecurityFindingsEnabled": {
                  "value": "[parameters('isSecurityFindingsEnabled')]"
                },
                "secureScoreControlsNames": {
                  "value": "[parameters('secureScoreControlsNames')]"
                },
                "recommendationSeverities": {
                  "value": "[parameters('recommendationSeverities')]"
                },
                "alertSeverities": {
                  "value": "[parameters('alertSeverities')]"
                },
                "regulatoryComplianceStandardsNames": {
                  "value": "[parameters('regulatoryComplianceStandardsNames')]"
                },
                "eventHubDetails": {
                  "value": "[parameters('eventHubDetails')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/cdfcce10-4578-4ecd-9703-530938e4abcb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "cdfcce10-4578-4ecd-9703-530938e4abcb"
}
BuiltIn Security Center False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy export to Log Analytics workspace for Azure Security Center data",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Enable export to Log Analytics workspace of Azure Security Center data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.",
    "metadata": {
      "version": "4.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "resourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group name",
          "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured."
        }
      },
      "resourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group location",
          "description": "The location where the resource group and the export to Log Analytics workspace configuration are created.",
          "strongType": "location"
        }
      },
      "createResourceGroup": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Create resource group",
          "description": "If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group."
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": true
      },
      "exportedDataTypes": {
        "type": "Array",
        "metadata": {
          "displayName": "Exported data types",
          "description": "The data types to be exported. To export a snapshot (preview) of the data once a week, choose the data types which contains 'snapshot', other data types will be sent in real-time streaming."
        },
        "allowedValues": [
          "Security recommendations",
          "Security alerts",
          "Overall secure score",
          "Secure score controls",
          "Regulatory compliance",
          "Overall secure score - snapshot",
          "Secure score controls - snapshot",
          "Regulatory compliance - snapshot"
        ],
        "defaultValue": [
          "Security recommendations",
          "Security alerts",
          "Overall secure score",
          "Secure score controls",
          "Regulatory compliance",
          "Overall secure score - snapshot",
          "Secure score controls - snapshot",
          "Regulatory compliance - snapshot"
        ]
      },
      "recommendationNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Recommendation IDs",
          "description": "Applicable only for export of security recommendations. To export all recommendations, leave this empty. To export specific recommendations, enter a list of recommendation IDs separated by semicolons (';'). Recommendation IDs are available through the Assessments API (https://docs.microsoft.com/rest/api/securitycenter/assessments), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/assessments."
        },
        "defaultValue": []
      },
      "recommendationSeverities": {
        "type": "Array",
        "metadata": {
          "displayName": "Recommendation severities",
          "description": "Applicable only for export of security recommendations. Determines recommendation severities. Example: High;Medium;Low;"
        },
        "allowedValues": [
          "High",
          "Medium",
          "Low"
        ],
        "defaultValue": [
          "High",
          "Medium",
          "Low"
        ]
      },
      "isSecurityFindingsEnabled": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Include security findings",
          "description": "Security findings are results from vulnerability assessment solutions, and can be thought of as 'sub' recommendations grouped into a 'parent' recommendation."
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": true
      },
      "secureScoreControlsNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Secure Score Controls IDs",
          "description": "Applicable only for export of secure score controls. To export all secure score controls, leave this empty. To export specific secure score controls, enter a list of secure score controls IDs separated by semicolons (';'). Secure score controls IDs are available through the Secure score controls API (https://docs.microsoft.com/rest/api/securitycenter/securescorecontrols), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/securescores/securescorecontrols."
        },
        "defaultValue": []
      },
      "alertSeverities": {
        "type": "Array",
        "metadata": {
          "displayName": "Alert severities",
          "description": "Applicable only for export of security alerts. Determines alert severities. Example: High;Medium;Low;"
        },
        "allowedValues": [
          "High",
          "Medium",
          "Low"
        ],
        "defaultValue": [
          "High",
          "Medium",
          "Low"
        ]
      },
      "regulatoryComplianceStandardsNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Regulatory compliance standards names",
          "description": "Applicable only for export of regulatory compliance. To export all regulatory compliance, leave this empty. To export specific regulatory compliance standards, enter a list of these standards names separated by semicolons (';'). Regulatory compliance standards names are available through the regulatory compliance standards API (https://docs.microsoft.com/rest/api/securitycenter/regulatorycompliancestandards), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/regulatorycompliancestandards."
        },
        "defaultValue": []
      },
      "workspaceResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "The Log Analytics workspace of where the data should be exported to.",
          "strongType": "Microsoft.OperationalInsights/workspaces",
          "assignPermissions": true
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Security/automations",
          "name": "ExportToWorkspace",
          "existenceScope": "resourcegroup",
          "ResourceGroupName": "[parameters('resourceGroupName')]",
          "deploymentScope": "subscription",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Security/automations/isEnabled",
                "equals": true
              },
              {
                "count": {
                  "field": "Microsoft.Security/automations/sources[*]"
                },
                "equals": "[if(parameters('isSecurityFindingsEnabled'),add(length(parameters('exportedDataTypes')),1),length(parameters('exportedDataTypes')))]"
              },
              {
                "count": {
                  "value": "[parameters('exportedDataTypes')]",
                  "name": "dataType",
                  "where": {
                    "count": {
                      "field": "Microsoft.Security/automations/sources[*]",
                      "where": {
                        "anyOf": [
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "Assessments"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Security recommendations"
                              }
                            ]
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "Alerts"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Security alerts"
                              }
                            ]
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "SecureScores"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Overall secure score"
                              }
                            ]
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "SecureScoreControls"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Secure score controls"
                              }
                            ]
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "RegulatoryComplianceAssessment"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Regulatory compliance"
                              }
                            ]
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "SecureScoresSnapshot"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Overall secure score - snapshot"
                              }
                            ]
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "SecureScoreControlsSnapshot"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Secure score controls - snapshot"
                              }
                            ]
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Security/automations/sources[*].eventSource",
                                "equals": "RegulatoryComplianceAssessmentSnapshot"
                              },
                              {
                                "value": "[current('dataType')]",
                                "equals": "Regulatory compliance - snapshot"
                              }
                            ]
                          }
                        ]
                      }
                    },
                    "equals": 1
                  }
                },
                "equals": "[length(parameters('exportedDataTypes'))]"
              }
            ]
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceGroupName": {
                    "type": "string"
                  },
                  "resourceGroupLocation": {
                    "type": "string"
                  },
                  "createResourceGroup": {
                    "type": "bool"
                  },
                  "exportedDataTypes": {
                    "type": "array"
                  },
                  "isSecurityFindingsEnabled": {
                    "type": "bool"
                  },
                  "recommendationNames": {
                    "type": "array"
                  },
                  "recommendationSeverities": {
                    "type": "array"
                  },
                  "alertSeverities": {
                    "type": "array"
                  },
                  "secureScoreControlsNames": {
                    "type": "array"
                  },
                  "regulatoryComplianceStandardsNames": {
                    "type": "array"
                  },
                  "workspaceResourceId": {
                    "type": "string"
                  },
                  "guidValue": {
                    "type": "string",
                    "defaultValue": "[newGuid()]"
                  }
                },
                "variables": {
                  "scopeDescription": "scope for subscription {0}",
                  "subAssessmentRuleExpectedValue": "/assessments/{0}/",
                  "recommendationNamesLength": "[length(parameters('recommendationNames'))]",
                  "secureScoreControlsNamesLength": "[length(parameters('secureScoreControlsNames'))]",
                  "secureScoreControlsLengthIfEmpty": "[if(equals(variables('secureScoreControlsNamesLength'), 0), 1, variables('secureScoreControlsNamesLength'))]",
                  "regulatoryComplianceStandardsNamesLength": "[length(parameters('regulatoryComplianceStandardsNames'))]",
                  "regulatoryComplianceStandardsNamesLengthIfEmpty": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), 1, variables('regulatoryComplianceStandardsNamesLength'))]",
                  "recommendationSeveritiesLength": "[length(parameters('recommendationSeverities'))]",
                  "alertSeveritiesLength": "[length(parameters('alertSeverities'))]",
                  "recommendationNamesLengthIfEmpty": "[if(equals(variables('recommendationNamesLength'), 0), 1, variables('recommendationNamesLength'))]",
                  "recommendationSeveritiesLengthIfEmpty": "[if(equals(variables('recommendationSeveritiesLength'), 0), 1, variables('recommendationSeveritiesLength'))]",
                  "alertSeveritiesLengthIfEmpty": "[if(equals(variables('alertSeveritiesLength'), 0), 1, variables('alertSeveritiesLength'))]",
                  "totalRuleCombinationsForOneRecommendationName": "[variables('recommendationSeveritiesLengthIfEmpty')]",
                  "totalRuleCombinationsForOneRecommendationSeverity": 1,
                  "exportedDataTypesLength": "[length(parameters('exportedDataTypes'))]",
                  "exportedDataTypesLengthIfEmpty": "[if(equals(variables('exportedDataTypesLength'), 0), 1, variables('exportedDataTypesLength'))]",
                  "dataTypeMap": {
                    "Security recommendations": "Assessments",
                    "Security alerts": "Alerts",
                    "Overall secure score": "SecureScores",
                    "Secure score controls": "SecureScoreControls",
                    "Regulatory compliance": "RegulatoryComplianceAssessment",
                    "Overall secure score - snapshot": "SecureScoresSnapshot",
                    "Secure score controls - snapshot": "SecureScoreControlsSnapshot",
                    "Regulatory compliance - snapshot": "RegulatoryComplianceAssessmentSnapshot"
                  },
                  "alertSeverityMap": {
                    "High": "high",
                    "Medium": "medium",
                    "Low": "low"
                  },
                  "ruleSetsForAssessmentsObj": {
                    "copy": [
                      {
                        "name": "ruleSetsForAssessmentsArr",
                        "count": "[mul(variables('recommendationNamesLengthIfEmpty'),variables('recommendationSeveritiesLengthIfEmpty'))]",
                        "input": {
                          "rules": [
                            {
                              "propertyJPath": "[if(equals(variables('recommendationNamesLength'),0),'type','name')]",
                              "propertyType": "string",
                              "expectedValue": "[if(equals(variables('recommendationNamesLength'),0),'Microsoft.Security/assessments',parameters('recommendationNames')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationName')),variables('recommendationNamesLength'))])]",
                              "operator": "Contains"
                            },
                            {
                              "propertyJPath": "properties.metadata.severity",
                              "propertyType": "string",
                              "expectedValue": "[parameters('recommendationSeverities')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationSeverity')),variables('recommendationSeveritiesLength'))]]",
                              "operator": "Equals"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "customRuleSetsForSubAssessmentsObj": {
                    "copy": [
                      {
                        "name": "ruleSetsForSubAssessmentsArr",
                        "count": "[variables('recommendationNamesLengthIfEmpty')]",
                        "input": {
                          "rules": [
                            {
                              "propertyJPath": "id",
                              "propertyType": "string",
                              "expectedValue": "[if(equals(variables('recommendationNamesLength'), 0), json('null'), replace(variables('subAssessmentRuleExpectedValue'),'{0}', parameters('recommendationNames')[copyIndex('ruleSetsForSubAssessmentsArr')]))]",
                              "operator": "Contains"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "ruleSetsForAlertsObj": {
                    "copy": [
                      {
                        "name": "ruleSetsForAlertsArr",
                        "count": "[variables('alertSeveritiesLengthIfEmpty')]",
                        "input": {
                          "rules": [
                            {
                              "propertyJPath": "Severity",
                              "propertyType": "string",
                              "expectedValue": "[variables('alertSeverityMap')[parameters('alertSeverities')[mod(copyIndex('ruleSetsForAlertsArr'),variables('alertSeveritiesLengthIfEmpty'))]]]",
                              "operator": "Equals"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "customRuleSetsForSecureScoreControlsObj": {
                    "copy": [
                      {
                        "name": "ruleSetsForSecureScoreControlsArr",
                        "count": "[variables('secureScoreControlsLengthIfEmpty')]",
                        "input": {
                          "rules": [
                            {
                              "propertyJPath": "name",
                              "propertyType": "string",
                              "expectedValue": "[if(equals(variables('secureScoreControlsNamesLength'), 0), json('null'), parameters('secureScoreControlsNames')[copyIndex('ruleSetsForSecureScoreControlsArr')])]",
                              "operator": "Equals"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "customRuleSetsForRegulatoryComplianceObj": {
                    "copy": [
                      {
                        "name": "ruleSetsForRegulatoryCompliancArr",
                        "count": "[variables('regulatoryComplianceStandardsNamesLengthIfEmpty')]",
                        "input": {
                          "rules": [
                            {
                              "propertyJPath": "id",
                              "propertyType": "string",
                              "expectedValue": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), json('null'), parameters('regulatoryComplianceStandardsNames')[copyIndex('ruleSetsForRegulatoryCompliancArr')])]",
                              "operator": "Contains"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "ruleSetsForSecureScoreControlsObj": "[if(equals(variables('secureScoreControlsNamesLength'), 0), json('null'), variables('customRuleSetsForSecureScoreControlsObj').ruleSetsForSecureScoreControlsArr)]",
                  "ruleSetsForSecureRegulatoryComplianceObj": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), json('null'), variables('customRuleSetsForRegulatoryComplianceObj').ruleSetsForRegulatoryCompliancArr)]",
                  "ruleSetsForSubAssessmentsObj": "[if(equals(variables('recommendationNamesLength'), 0), json('null'), variables('customRuleSetsForSubAssessmentsObj').ruleSetsForSubAssessmentsArr)]",
                  "subAssessmentSource": [
                    {
                      "eventSource": "SubAssessments",
                      "ruleSets": "[variables('ruleSetsForSubAssessmentsObj')]"
                    }
                  ],
                  "ruleSetsMap": {
                    "Security recommendations": "[variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr]",
                    "Security alerts": "[variables('ruleSetsForAlertsObj').ruleSetsForAlertsArr]",
                    "Overall secure score": null,
                    "Secure score controls": "[variables('ruleSetsForSecureScoreControlsObj')]",
                    "Regulatory compliance": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]",
                    "Overall secure score - snapshot": null,
                    "Secure score controls - snapshot": "[variables('ruleSetsForSecureScoreControlsObj')]",
                    "Regulatory compliance - snapshot": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]"
                  },
                  "sourcesWithoutSubAssessments": {
                    "copy": [
                      {
                        "name": "sources",
                        "count": "[variables('exportedDataTypesLengthIfEmpty')]",
                        "input": {
                          "eventSource": "[variables('dataTypeMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]",
                          "ruleSets": "[variables('ruleSetsMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]"
                        }
                      }
                    ]
                  },
                  "sourcesWithSubAssessments": "[concat(variables('subAssessmentSource'),variables('sourcesWithoutSubAssessments').sources)]",
                  "sources": "[if(equals(parameters('isSecurityFindingsEnabled'),bool('true')),variables('sourcesWithSubAssessments'),variables('sourcesWithoutSubAssessments').sources)]"
                },
                "resources": [
                  {
                    "condition": "[parameters('createResourceGroup')]",
                    "name": "[parameters('resourceGroupName')]",
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2019-10-01",
                    "location": "[parameters('resourceGroupLocation')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "[concat('nestedAutomationDeployment', '_', parameters('guidValue'))]",
                    "resourceGroup": "[parameters('resourceGroupName')]",
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "tags": {},
                            "apiVersion": "2019-01-01-preview",
                            "location": "[parameters('resourceGroupLocation')]",
                            "name": "ExportToWorkspace",
                            "type": "Microsoft.Security/automations",
                            "dependsOn": [],
                            "properties": {
                              "description": "Export Azure Security Center data to Log Analytics workspace via policy",
                              "isEnabled": true,
                              "scopes": [
                                {
                                  "description": "[replace(variables('scopeDescription'),'{0}', subscription().subscriptionId)]",
                                  "scopePath": "[subscription().id]"
                                }
                              ],
                              "sources": "[variables('sources')]",
                              "actions": [
                                {
                                  "actionType": "Workspace",
                                  "workspaceResourceId": "[parameters('workspaceResourceId')]"
                                }
                              ]
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "resourceGroupName": {
                  "value": "[parameters('resourceGroupName')]"
                },
                "resourceGroupLocation": {
                  "value": "[parameters('resourceGroupLocation')]"
                },
                "createResourceGroup": {
                  "value": "[parameters('createResourceGroup')]"
                },
                "exportedDataTypes": {
                  "value": "[parameters('exportedDataTypes')]"
                },
                "isSecurityFindingsEnabled": {
                  "value": "[parameters('isSecurityFindingsEnabled')]"
                },
                "recommendationNames": {
                  "value": "[parameters('recommendationNames')]"
                },
                "secureScoreControlsNames": {
                  "value": "[parameters('secureScoreControlsNames')]"
                },
                "recommendationSeverities": {
                  "value": "[parameters('recommendationSeverities')]"
                },
                "alertSeverities": {
                  "value": "[parameters('alertSeverities')]"
                },
                "regulatoryComplianceStandardsNames": {
                  "value": "[parameters('regulatoryComplianceStandardsNames')]"
                },
                "workspaceResourceId": {
                  "value": "[parameters('workspaceResourceId')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ffb6f416-7bd2-4488-8828-56585fef2be9"
}
BuiltIn Security Center False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Log Analytics agent for Linux virtual machine scale sets",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "listOfImageIdToInclude": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of VM images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachineScaleSets"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imageId",
                "in": "[parameters('listOfImageIdToInclude')]"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "8*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Compute/imageOffer",
                            "in": [
                              "SLES",
                              "SLES-HPC",
                              "SLES-HPC-Priority",
                              "SLES-SAP",
                              "SLES-SAP-BYOS",
                              "SLES-Priority",
                              "SLES-BYOS",
                              "SLES-SAPCAL",
                              "SLES-Standard"
                            ]
                          },
                          {
                            "anyOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "like": "12*"
                              },
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "like": "15*"
                              }
                            ]
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "anyOf": [
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "like": "sles-12-sp*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "like": "sles-15-sp*"
                              }
                            ]
                          },
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "in": [
                              "gen1",
                              "gen2"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "UbuntuServer",
                      "0001-com-ubuntu-server-focal"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "14.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "16.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "16_04*lts-gen2"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "18.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "18_04*lts-gen2"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "20_04*lts"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "20_04*lts-gen2"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "credativ"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Debian"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "8*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "9*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Oracle"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Oracle-Linux"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7.*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "CentOS",
                      "Centos-LVM",
                      "CentOS-SRIOV"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "8*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "like": "7*"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type",
                "equals": "OmsAgentForLinux"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher",
                "equals": "Microsoft.EnterpriseCloud.Monitoring"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vmExtensionName": "OMSAgentForLinux",
                  "vmExtensionPublisher": "Microsoft.EnterpriseCloud.Monitoring",
                  "vmExtensionType": "OmsAgentForLinux",
                  "vmExtensionTypeHandlerVersion": "1.13"
                },
                "resources": [
                  {
                    "name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
                    "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
                    "location": "[parameters('location')]",
                    "apiVersion": "2018-06-01",
                    "properties": {
                      "publisher": "[variables('vmExtensionPublisher')]",
                      "type": "[variables('vmExtensionType')]",
                      "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]",
                      "autoUpgradeMinorVersion": true,
                      "settings": {
                        "workspaceId": "[reference(parameters('logAnalytics'), '2015-03-20').customerId]",
                        "stopOnMultipleConnections": "true"
                      },
                      "protectedSettings": {
                        "workspaceKey": "[listKeys(parameters('logAnalytics'), '2015-03-20').primarySharedKey]"
                      }
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled extension for: ', parameters('vmName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069"
}
BuiltIn Monitoring False False n/a n/a n/a false 0 n/a true 1 Enable Azure Monitor for Virtual Machine Scale Sets (/providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad) 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293), 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "Deploy Log Analytics agent for Linux VMs",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "listOfImageIdToInclude": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of VM images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imageId",
                "in": "[parameters('listOfImageIdToInclude')]"
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "8*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Compute/imageOffer",
                            "in": [
                              "SLES",
                              "SLES-HPC",
                              "SLES-HPC-Priority",
                              "SLES-SAP",
                              "SLES-SAP-BYOS",
                              "SLES-Priority",
                              "SLES-BYOS",
                              "SLES-SAPCAL",
                              "SLES-Standard"
                            ]
                          },
                          {
                            "anyOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "like": "12*"
                              },
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "like": "15*"
                              }
                            ]
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                            "anyOf": [
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "like": "sles-12-sp*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "like": "sles-15-sp*"
                              }
                            ]
                          },
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "in": [
                              "gen1",
                              "gen2"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "UbuntuServer",
                      "0001-com-ubuntu-server-focal"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "14.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "16.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "16_04*lts-gen2"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "18.04*LTS"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "18_04*lts-gen2"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "20_04*lts"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "20_04*lts-gen2"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "credativ"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Debian"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "8*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "9*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Oracle"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Oracle-Linux"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7.*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "CentOS",
                      "Centos-LVM",
                      "CentOS-SRIOV"
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "6.*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "7*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "like": "8*"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "like": "7*"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "OmsAgentForLinux"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.EnterpriseCloud.Monitoring"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vmExtensionName": "OMSAgentForLinux",
                  "vmExtensionPublisher": "Microsoft.EnterpriseCloud.Monitoring",
                  "vmExtensionType": "OmsAgentForLinux",
                  "vmExtensionTypeHandlerVersion": "1.13"
                },
                "resources": [
                  {
                    "name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "apiVersion": "2018-06-01",
                    "properties": {
                      "publisher": "[variables('vmExtensionPublisher')]",
                      "type": "[variables('vmExtensionType')]",
                      "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]",
                      "autoUpgradeMinorVersion": true,
                      "settings": {
                        "workspaceId": "[reference(parameters('logAnalytics'), '2015-03-20').customerId]",
                        "stopOnMultipleConnections": "true"
                      },
                      "protectedSettings": {
                        "workspaceKey": "[listKeys(parameters('logAnalytics'), '2015-03-20').primarySharedKey]"
                      }
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled extension for VM', ': ', parameters('vmName'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "053d3325-282c-4e5c-b944-24faffd30d77"
}
BuiltIn Monitoring False False n/a n/a n/a false 0 n/a true 1 Enable Azure Monitor for VMs (/providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a) 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy network watcher when virtual networks are created",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/virtualNetworks"
      },
      "then": {
        "effect": "DeployIfNotExists",
        "details": {
          "type": "Microsoft.Network/networkWatchers",
          "resourceGroupName": "networkWatcherRG",
          "existenceCondition": {
            "field": "location",
            "equals": "[field('location')]"
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "apiVersion": "2016-09-01",
                    "type": "Microsoft.Network/networkWatchers",
                    "name": "[concat('networkWatcher_', parameters('location'))]",
                    "location": "[parameters('location')]"
                  }
                ]
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a9b99dd8-06c5-4317-8629-9d86a3c6e7d9"
}
BuiltIn Network False False n/a n/a n/a false 0 n/a true 1 HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Deploy spoke network with configuration to hub network based on ipam configuration object",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploy spoke network with configuration to hub network based on ipam configuration object",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:36.0620342Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "ipam": {
        "type": "Array",
        "metadata": {
          "displayName": "ipam",
          "description": null
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Resources/resourceGroups",
          "deploymentScope": "Subscription",
          "existenceScope": "Subscription",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Resources/subscriptions/resourceGroups"
              },
              {
                "field": "name",
                "like": "[concat(subscription().displayName, '-network')]"
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "ipam": {
                  "value": "[parameters('ipam')]",
                  "defaultValue": []
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "ipam": {
                    "defaultValue": [
                      {
                        "name": "bu1-weu-msx3-vNet1",
                        "location": "westeurope",
                        "virtualNetworks": {
                          "properties": {
                            "addressSpace": {
                              "addressPrefixes": [
                                "10.51.217.0/24"
                              ]
                            }
                          }
                        },
                        "networkSecurityGroups": {
                          "properties": {
                            "securityRules": []
                          }
                        },
                        "routeTables": {
                          "properties": {
                            "routes": []
                          }
                        },
                        "hubVirtualNetworkConnection": {
                          "vWanVhubResourceId": "/subscriptions/99c2838f-a548-4884-a6e2-38c1f8fb4c0b/resourceGroups/contoso-global-vwan/providers/Microsoft.Network/virtualHubs/contoso-vhub-weu",
                          "properties": {
                            "allowHubToRemoteVnetTransit": true,
                            "allowRemoteVnetToUseHubVnetGateways": false,
                            "enableInternetSecurity": true
                          }
                        }
                      }
                    ],
                    "type": "Array"
                  }
                },
                "variables": {
                  "vNetRgName": "[concat(subscription().displayName, '-network')]",
                  "vNetName": "[concat(subscription().displayName, '-vNet')]",
                  "vNetSubId": "[subscription().subscriptionId]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2020-06-01",
                    "name": "[concat('es-ipam-',subscription().displayName,'-RG-',copyIndex())]",
                    "location": "[parameters('ipam')[copyIndex()].location]",
                    "dependsOn": [],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "type": "Microsoft.Resources/resourceGroups",
                            "apiVersion": "2020-06-01",
                            "name": "[variables('vNetRgName')]",
                            "location": "[parameters('ipam')[copyIndex()].location]",
                            "properties": {}
                          },
                          {
                            "type": "Microsoft.Resources/resourceGroups",
                            "apiVersion": "2020-06-01",
                            "name": "NetworkWatcherRG",
                            "location": "[parameters('ipam')[copyIndex()].location]",
                            "properties": {}
                          }
                        ],
                        "outputs": {}
                      }
                    },
                    "copy": {
                      "name": "ipam-rg-loop",
                      "count": "[length(parameters('ipam'))]"
                    },
                    "condition": "[if(and(not(empty(parameters('ipam'))), equals(toLower(parameters('ipam')[copyIndex()].name),toLower(variables('vNetName')))),bool('true'),bool('false'))]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2020-06-01",
                    "name": "[concat('es-ipam-',subscription().displayName,'-nsg-udr-vnet-hub-vwan-peering-',copyIndex())]",
                    "dependsOn": [
                      "[concat('es-ipam-',subscription().displayName,'-RG-',copyIndex())]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "condition": "[contains(parameters('ipam')[copyIndex()],'networkSecurityGroups')]",
                            "apiVersion": "2020-05-01",
                            "type": "Microsoft.Network/networkSecurityGroups",
                            "name": "[concat(subscription().displayName, '-nsg')]",
                            "location": "[parameters('ipam')[copyIndex()].location]",
                            "properties": "[if(contains(parameters('ipam')[copyIndex()],'networkSecurityGroups'),parameters('ipam')[copyIndex()].networkSecurityGroups.properties,json('null'))]"
                          },
                          {
                            "condition": "[contains(parameters('ipam')[copyIndex()],'routeTables')]",
                            "apiVersion": "2020-05-01",
                            "type": "Microsoft.Network/routeTables",
                            "name": "[concat(subscription().displayName, '-udr')]",
                            "location": "[parameters('ipam')[copyIndex()].location]",
                            "properties": "[if(contains(parameters('ipam')[copyIndex()],'routeTables'),parameters('ipam')[copyIndex()].routeTables.properties,json('null'))]"
                          },
                          {
                            "condition": "[contains(parameters('ipam')[copyIndex()],'virtualNetworks')]",
                            "type": "Microsoft.Network/virtualNetworks",
                            "apiVersion": "2020-05-01",
                            "name": "[concat(subscription().displayName, '-vnet')]",
                            "location": "[parameters('ipam')[copyIndex()].location]",
                            "dependsOn": [
                              "[concat(subscription().displayName, '-nsg')]",
                              "[concat(subscription().displayName, '-udr')]"
                            ],
                            "properties": "[if(contains(parameters('ipam')[copyIndex()],'virtualNetworks'),parameters('ipam')[copyIndex()].virtualNetworks.properties,json('null'))]"
                          },
                          {
                            "condition": "[contains(parameters('ipam')[copyIndex()],'virtualNetworkPeerings')]",
                            "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
                            "apiVersion": "2020-05-01",
                            "name": "[concat(variables('vNetName'), '/peerToHub')]",
                            "dependsOn": [
                              "[concat(subscription().displayName, '-vnet')]"
                            ],
                            "properties": "[if(contains(parameters('ipam')[copyIndex()],'virtualNetworkPeerings'),parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties,json('null'))]"
                          },
                          {
                            "condition": "[and(contains(parameters('ipam')[copyIndex()],'virtualNetworks'),contains(parameters('ipam')[copyIndex()],'hubVirtualNetworkConnection'),contains(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection,'vWanVhubResourceId'))]",
                            "type": "Microsoft.Resources/deployments",
                            "apiVersion": "2020-06-01",
                            "name": "[concat('es-ipam-vWan-',subscription().displayName,'-peering-',copyIndex())]",
                            "subscriptionId": "[if(and(contains(parameters('ipam')[copyIndex()],'hubVirtualNetworkConnection'),contains(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection,'vWanVhubResourceId')),split(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection.vWanVhubResourceId,'/')[2],json('null'))]",
                            "resourceGroup": "[if(and(contains(parameters('ipam')[copyIndex()],'hubVirtualNetworkConnection'),contains(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection,'vWanVhubResourceId')),split(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection.vWanVhubResourceId,'/')[4],json('null'))]",
                            "dependsOn": [
                              "[concat(subscription().displayName, '-vnet')]"
                            ],
                            "properties": {
                              "mode": "Incremental",
                              "expressionEvaluationOptions": {
                                "scope": "inner"
                              },
                              "template": {
                                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                                "contentVersion": "1.0.0.0",
                                "parameters": {
                                  "remoteVirtualNetwork": {
                                    "type": "string"
                                  },
                                  "vWanVhubName": {
                                    "Type": "string",
                                    "defaultValue": ""
                                  },
                                  "allowHubToRemoteVnetTransit": {
                                    "Type": "bool",
                                    "defaultValue": true
                                  },
                                  "allowRemoteVnetToUseHubVnetGateways": {
                                    "Type": "bool",
                                    "defaultValue": false
                                  },
                                  "enableInternetSecurity": {
                                    "Type": "bool",
                                    "defaultValue": true
                                  }
                                },
                                "variables": {},
                                "resources": [
                                  {
                                    "type": "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections",
                                    "apiVersion": "2020-05-01",
                                    "name": "[[concat(parameters('vWanVhubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]",
                                    "properties": {
                                      "remoteVirtualNetwork": {
                                        "id": "[[parameters('remoteVirtualNetwork')]"
                                      },
                                      "allowHubToRemoteVnetTransit": "[[parameters('allowHubToRemoteVnetTransit')]",
                                      "allowRemoteVnetToUseHubVnetGateways": "[[parameters('allowRemoteVnetToUseHubVnetGateways')]",
                                      "enableInternetSecurity": "[[parameters('enableInternetSecurity')]"
                                    }
                                  }
                                ],
                                "outputs": {}
                              },
                              "parameters": {
                                "remoteVirtualNetwork": {
                                  "value": "[concat(subscription().id,'/resourceGroups/',variables('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', concat(subscription().displayName, '-vnet'))]"
                                },
                                "vWanVhubName": {
                                  "value": "[if(and(contains(parameters('ipam')[copyIndex()],'hubVirtualNetworkConnection'),contains(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection,'vWanVhubResourceId')),split(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection.vWanVhubResourceId,'/')[8],json('null'))]"
                                },
                                "allowHubToRemoteVnetTransit": {
                                  "value": "[if(and(contains(parameters('ipam')[copyIndex()],'hubVirtualNetworkConnection'),contains(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection,'vWanVhubResourceId')),parameters('ipam')[copyIndex()].hubVirtualNetworkConnection.properties.allowHubToRemoteVnetTransit,json('null'))]"
                                },
                                "allowRemoteVnetToUseHubVnetGateways": {
                                  "value": "[if(and(contains(parameters('ipam')[copyIndex()],'hubVirtualNetworkConnection'),contains(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection,'vWanVhubResourceId')),parameters('ipam')[copyIndex()].hubVirtualNetworkConnection.properties.allowRemoteVnetToUseHubVnetGateways,json('null'))]"
                                },
                                "enableInternetSecurity": {
                                  "value": "[if(and(contains(parameters('ipam')[copyIndex()],'hubVirtualNetworkConnection'),contains(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection,'vWanVhubResourceId')),parameters('ipam')[copyIndex()].hubVirtualNetworkConnection.properties.enableInternetSecurity,json('null'))]"
                                }
                              }
                            }
                          },
                          {
                            "condition": "[and(contains(parameters('ipam')[copyIndex()],'virtualNetworks'),contains(parameters('ipam')[copyIndex()],'virtualNetworkPeerings'),contains(parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties.remoteVirtualNetwork,'id'))]",
                            "type": "Microsoft.Resources/deployments",
                            "apiVersion": "2020-06-01",
                            "name": "[concat('es-ipam-hub-',subscription().displayName,'-peering-',copyIndex())]",
                            "subscriptionId": "[if(and(contains(parameters('ipam')[copyIndex()],'virtualNetworkPeerings'),contains(parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties.remoteVirtualNetwork,'id')),split(parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties.remoteVirtualNetwork.id,'/')[2],json('null'))]",
                            "resourceGroup": "[if(and(contains(parameters('ipam')[copyIndex()],'virtualNetworkPeerings'),contains(parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties.remoteVirtualNetwork,'id')),split(parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties.remoteVirtualNetwork.id,'/')[4],json('null'))]",
                            "dependsOn": [
                              "[concat(subscription().displayName, '-vnet')]"
                            ],
                            "properties": {
                              "mode": "Incremental",
                              "expressionEvaluationOptions": {
                                "scope": "inner"
                              },
                              "template": {
                                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                                "contentVersion": "1.0.0.0",
                                "parameters": {
                                  "remoteVirtualNetwork": {
                                    "Type": "string",
                                    "defaultValue": false
                                  },
                                  "hubName": {
                                    "Type": "string",
                                    "defaultValue": false
                                  }
                                },
                                "variables": {},
                                "resources": [
                                  {
                                    "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
                                    "name": "[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]",
                                    "apiVersion": "2020-05-01",
                                    "properties": {
                                      "allowVirtualNetworkAccess": true,
                                      "allowForwardedTraffic": true,
                                      "allowGatewayTransit": true,
                                      "useRemoteGateways": false,
                                      "remoteVirtualNetwork": {
                                        "id": "[[parameters('remoteVirtualNetwork')]"
                                      }
                                    }
                                  }
                                ],
                                "outputs": {}
                              },
                              "parameters": {
                                "remoteVirtualNetwork": {
                                  "value": "[concat(subscription().id,'/resourceGroups/',variables('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', concat(subscription().displayName, '-vnet'))]"
                                },
                                "hubName": {
                                  "value": "[if(and(contains(parameters('ipam')[copyIndex()],'virtualNetworkPeerings'),contains(parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties.remoteVirtualNetwork,'id')),split(parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties.remoteVirtualNetwork.id,'/')[8],json('null'))]"
                                }
                              }
                            }
                          }
                        ],
                        "outputs": {}
                      }
                    },
                    "resourceGroup": "[variables('vNetRgName')]",
                    "copy": {
                      "name": "ipam-loop",
                      "count": "[length(parameters('ipam'))]"
                    },
                    "condition": "[if(and(not(empty(parameters('ipam'))), equals(toLower(parameters('ipam')[copyIndex()].name),toLower(variables('vNetName')))),bool('true'),bool('false'))]"
                  }
                ],
                "outputs": {
                  "ipam": {
                    "condition": "[bool('true')]",
                    "type": "Int",
                    "value": "[length(parameters('ipam'))]"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-vNet",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-vNet"
}
Custom Network False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Deploy SQL database auditing settings",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploy auditing settings to SQL Database when it not exist in the deployment",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:37.9782455Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers/databases"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/databases/auditingSettings",
          "name": "default",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Sql/servers/databases/auditingSettings/state",
                "equals": "enabled"
              },
              {
                "field": "Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled",
                "equals": "true"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "location": {
                    "type": "string"
                  },
                  "sqlServerName": {
                    "type": "string"
                  },
                  "sqlServerDataBaseName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "name": "[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]",
                    "type": "Microsoft.Sql/servers/databases/auditingSettings",
                    "apiVersion": "2017-03-01-preview",
                    "properties": {
                      "state": "enabled",
                      "auditActionsAndGroups": [
                        "BATCH_COMPLETED_GROUP",
                        "DATABASE_OBJECT_CHANGE_GROUP",
                        "SCHEMA_OBJECT_CHANGE_GROUP",
                        "BACKUP_RESTORE_GROUP",
                        "APPLICATION_ROLE_CHANGE_PASSWORD_GROUP",
                        "DATABASE_PRINCIPAL_CHANGE_GROUP",
                        "DATABASE_PRINCIPAL_IMPERSONATION_GROUP",
                        "DATABASE_ROLE_MEMBER_CHANGE_GROUP",
                        "USER_CHANGE_PASSWORD_GROUP",
                        "DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP",
                        "DATABASE_OBJECT_PERMISSION_CHANGE_GROUP",
                        "DATABASE_PERMISSION_CHANGE_GROUP",
                        "SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP",
                        "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
                        "FAILED_DATABASE_AUTHENTICATION_GROUP"
                      ],
                      "isAzureMonitorTargetEnabled": true
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "sqlServerName": {
                  "value": "[first(split(field('fullname'),'/'))]"
                },
                "sqlServerDataBaseName": {
                  "value": "[field('name')]"
                }
              }
            }
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Sql-AuditingSettings"
}
Custom SQL False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy SQL Database built-in SQL security configuration (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-sql-security) 'SQL Security Manager' (056cd41c-7e88-42e1-933e-88ba6a50c9c3)
{
  "properties": {
    "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4946469Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers/databases"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/databases/securityAlertPolicies",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Sql/servers/databases/securityAlertPolicies/state",
                "equals": "Enabled"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "location": {
                    "type": "string"
                  },
                  "sqlServerName": {
                    "type": "string"
                  },
                  "sqlServerDataBaseName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "name": "[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]",
                    "type": "Microsoft.Sql/servers/databases/securityAlertPolicies",
                    "apiVersion": "2018-06-01-preview",
                    "properties": {
                      "state": "Enabled",
                      "disabledAlerts": [
                        ""
                      ],
                      "emailAddresses": [
                        "admin@contoso.com"
                      ],
                      "emailAccountAdmins": true,
                      "storageEndpoint": null,
                      "storageAccountAccessKey": "",
                      "retentionDays": 0
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "sqlServerName": {
                  "value": "[first(split(field('fullname'),'/'))]"
                },
                "sqlServerDataBaseName": {
                  "value": "[field('name')]"
                }
              }
            }
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Sql-SecurityAlertPolicies"
}
Custom SQL False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy SQL Database built-in SQL security configuration (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-sql-security) 'SQL Security Manager' (056cd41c-7e88-42e1-933e-88ba6a50c9c3)
{
  "properties": {
    "displayName": "Deploy SQL Database Transparent Data Encryption ",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:37.8987432Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers/databases"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Sql/transparentDataEncryption.status",
                "equals": "Enabled"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "location": {
                    "type": "string"
                  },
                  "sqlServerName": {
                    "type": "string"
                  },
                  "sqlServerDataBaseName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "name": "[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]",
                    "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
                    "apiVersion": "2014-04-01",
                    "properties": {
                      "status": "Enabled"
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "sqlServerName": {
                  "value": "[first(split(field('fullname'),'/'))]"
                },
                "sqlServerDataBaseName": {
                  "value": "[field('name')]"
                }
              }
            }
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Sql-Tde"
}
Custom SQL False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy SQL Database built-in SQL security configuration (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-sql-security) 'SQL Security Manager' (056cd41c-7e88-42e1-933e-88ba6a50c9c3)
{
  "properties": {
    "displayName": "Deploy SQL Database vulnerability Assessments",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific  storage account in the parameters",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4646364Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "vulnerabilityAssessmentsEmail": {
        "type": "String",
        "metadata": {
          "description": "The email address to send alerts",
          "displayName": "The email address to send alerts"
        }
      },
      "vulnerabilityAssessmentsStorageID": {
        "type": "String",
        "metadata": {
          "description": "The storage account to store assessments",
          "displayName": "The storage account to store assessments"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers/databases"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails",
                "equals": "[parameters('vulnerabilityAssessmentsEmail')]"
              },
              {
                "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled",
                "equals": true
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "location": {
                    "type": "string"
                  },
                  "sqlServerName": {
                    "type": "string"
                  },
                  "sqlServerDataBaseName": {
                    "type": "string"
                  },
                  "vulnerabilityAssessmentsEmail": {
                    "type": "string"
                  },
                  "vulnerabilityAssessmentsStorageID": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "name": "[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]",
                    "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments",
                    "apiVersion": "2017-03-01-preview",
                    "properties": {
                      "storageContainerPath": "[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') ,  '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]",
                      "storageAccountAccessKey": "[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",
                      "recurringScans": {
                        "isEnabled": true,
                        "emailSubscriptionAdmins": false,
                        "emails": [
                          "[parameters('vulnerabilityAssessmentsEmail')]"
                        ]
                      }
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "sqlServerName": {
                  "value": "[first(split(field('fullname'),'/'))]"
                },
                "sqlServerDataBaseName": {
                  "value": "[field('name')]"
                },
                "vulnerabilityAssessmentsEmail": {
                  "value": "[parameters('vulnerabilityAssessmentsEmail')]"
                },
                "vulnerabilityAssessmentsStorageID": {
                  "value": "[parameters('vulnerabilityAssessmentsStorageID')]"
                }
              }
            }
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
            "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa"
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Sql-vulnerabilityAssessments"
}
Custom SQL False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a true 1 Deploy SQL Database built-in SQL security configuration (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-sql-security) 'SQL Security Manager' (056cd41c-7e88-42e1-933e-88ba6a50c9c3), 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa)
{
  "properties": {
    "displayName": "Deploy SQL DB transparent data encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enables transparent data encryption on SQL databases",
    "metadata": {
      "version": "2.0.0",
      "category": "SQL"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers/databases"
          },
          {
            "field": "name",
            "notEquals": "master"
          }
        ]
      },
      "then": {
        "effect": "DeployIfNotExists",
        "details": {
          "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
          "name": "current",
          "existenceCondition": {
            "anyOf": [
              {
                "field": "Microsoft.Sql/transparentDataEncryption.status",
                "equals": "enabled"
              },
              {
                "field": "Microsoft.Sql/servers/databases/transparentDataEncryption/state",
                "equals": "enabled"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "fullDbName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('fullDbName'), '/current')]",
                    "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
                    "apiVersion": "2014-04-01",
                    "properties": {
                      "status": "Enabled"
                    }
                  }
                ]
              },
              "parameters": {
                "fullDbName": {
                  "value": "[field('fullName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "86a912f6-9a06-4e26-b447-11b16ba8659f"
}
BuiltIn SQL False False n/a n/a n/a true 1 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-sql-encryption (Deploy-SQL-Security) false 0 n/a 'SQL DB Contributor' (9b7fa17d-e63e-47b0-bb0a-15c516ac86ec)
{
  "properties": {
    "displayName": "Deploy the configurations to the Log Analytics in the subscription",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploy the configurations to the Log Analytics in the subscription. This includes a list of solutions like update, automation etc and  enables the vminsight counters. ",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5409206Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "workspaceName": {
        "type": "String",
        "metadata": {
          "displayName": "workspaceName",
          "description": "Provide name of existing Log Analytics workspace"
        }
      },
      "workspaceRegion": {
        "type": "String",
        "metadata": {
          "displayName": "workspaceRegion",
          "description": "Select region of existing Log Analytics workspace"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.OperationalInsights/workspaces"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.OperationalInsights/workspaces",
          "deploymentScope": "resourceGroup",
          "existenceScope": "Subscription",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "name",
                "like": "[parameters('workspaceName')]"
              },
              {
                "field": "location",
                "equals": "[parameters('workspaceRegion')]"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "workspaceName": {
                  "value": "[parameters('workspaceName')]"
                },
                "workspaceRegion": {
                  "value": "[parameters('workspaceRegion')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "workspaceName": {
                    "type": "string"
                  },
                  "workspaceRegion": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vmInsightsPerfCounters": {
                    "windowsArray": [
                      {
                        "armName": "counter1",
                        "objectName": "LogicalDisk",
                        "counterName": "% Free Space",
                        "instanceName": "*",
                        "intervalSeconds": 10
                      },
                      {
                        "armName": "counter2",
                        "objectName": "LogicalDisk",
                        "counterName": "Avg. Disk sec/Read",
                        "instanceName": "*",
                        "intervalSeconds": 10
                      },
                      {
                        "armName": "counter3",
                        "objectName": "LogicalDisk",
                        "counterName": "Avg. Disk sec/Transfer",
                        "instanceName": "*",
                        "intervalSeconds": 10
                      },
                      {
                        "armName": "counter4",
                        "objectName": "LogicalDisk",
                        "counterName": "Avg. Disk sec/Write",
                        "instanceName": "*",
                        "intervalSeconds": 10
                      },
                      {
                        "armName": "counter5",
                        "objectName": "LogicalDisk",
                        "counterName": "Disk Read Bytes/sec",
                        "instanceName": "*",
                        "intervalSeconds": 10
                      },
                      {
                        "armName": "counter6",
                        "objectName": "LogicalDisk",
                        "counterName": "Disk Reads/sec",
                        "instanceName": "*",
                        "intervalSeconds": 10
                      },
                      {
                        "armName": "counter7",
                        "objectName": "LogicalDisk",
                        "counterName": "Disk Transfers/sec",
                        "instanceName": "*",
                        "intervalSeconds": 10
                      },
                      {
                        "armName": "counter8",
                        "objectName": "LogicalDisk",
                        "counterName": "Disk Write Bytes/sec",
                        "instanceName": "*",
                        "intervalSeconds": 10
                      },
                      {
                        "armName": "counter9",
                        "objectName": "LogicalDisk",
                        "counterName": "Disk Writes/sec",
                        "instanceName": "*",
                        "intervalSeconds": 10
                      },
                      {
                        "armName": "counter10",
                        "objectName": "LogicalDisk",
                        "counterName": "Free Megabytes",
                        "instanceName": "*",
                        "intervalSeconds": 10
                      },
                      {
                        "armName": "counter11",
                        "objectName": "Memory",
                        "counterName": "Available MBytes",
                        "instanceName": "*",
                        "intervalSeconds": 10
                      },
                      {
                        "armName": "counter12",
                        "objectName": "Network Adapter",
                        "counterName": "Bytes Received/sec",
                        "instanceName": "*",
                        "intervalSeconds": 10
                      },
                      {
                        "armName": "counter13",
                        "objectName": "Network Adapter",
                        "counterName": "Bytes Sent/sec",
                        "instanceName": "*",
                        "intervalSeconds": 10
                      },
                      {
                        "armName": "counter14",
                        "objectName": "Processor",
                        "counterName": "% Processor Time",
                        "instanceName": "*",
                        "intervalSeconds": 10
                      }
                    ],
                    "linuxDiskArray": [
                      {
                        "counterName": "% Used Inodes"
                      },
                      {
                        "counterName": "Free Megabytes"
                      },
                      {
                        "counterName": "% Used Space"
                      },
                      {
                        "counterName": "Disk Transfers/sec"
                      },
                      {
                        "counterName": "Disk Reads/sec"
                      },
                      {
                        "counterName": "Disk writes/sec"
                      }
                    ],
                    "linuxDiskObject": {
                      "armResourceName": "Disk",
                      "objectName": "Logical Disk",
                      "instanceName": "*",
                      "intervalSeconds": 10
                    },
                    "linuxMemoryArray": [
                      {
                        "counterName": "Available MBytes Memory"
                      }
                    ],
                    "linuxMemoryObject": {
                      "armResourceName": "Memory",
                      "objectName": "Memory",
                      "instanceName": "*",
                      "intervalSeconds": 10
                    },
                    "linuxNetworkArray": [
                      {
                        "counterName": "Total Bytes Received"
                      },
                      {
                        "counterName": "Total Bytes Transmitted"
                      }
                    ],
                    "linuxNetworkObject": {
                      "armResourceName": "Network",
                      "objectName": "Network",
                      "instanceName": "*",
                      "intervalSeconds": 10
                    },
                    "linuxCpuArray": [
                      {
                        "counterName": "% Processor Time"
                      }
                    ],
                    "linuxCpuObject": {
                      "armResourceName": "Processor",
                      "objectName": "Processor",
                      "instanceName": "*",
                      "intervalSeconds": 10
                    }
                  },
                  "batch1": {
                    "solutions": [
                      {
                        "name": "[concat('Security', '(', parameters('workspaceName'), ')')]",
                        "marketplaceName": "Security"
                      },
                      {
                        "name": "[concat('AgentHealthAssessment', '(', parameters('workspaceName'), ')')]",
                        "marketplaceName": "AgentHealthAssessment"
                      },
                      {
                        "name": "[concat('ChangeTracking', '(', parameters('workspaceName'), ')')]",
                        "marketplaceName": "ChangeTracking"
                      },
                      {
                        "name": "[concat('Updates', '(', parameters('workspaceName'), ')')]",
                        "marketplaceName": "Updates"
                      },
                      {
                        "name": "[concat('AzureActivity', '(', parameters('workspaceName'), ')')]",
                        "marketplaceName": "AzureActivity"
                      },
                      {
                        "name": "[concat('AzureAutomation', '(', parameters('workspaceName'), ')')]",
                        "marketplaceName": "AzureAutomation"
                      },
                      {
                        "name": "[concat('ADAssessment', '(', parameters('workspaceName'), ')')]",
                        "marketplaceName": "ADAssessment"
                      },
                      {
                        "name": "[concat('SQLAssessment', '(', parameters('workspaceName'), ')')]",
                        "marketplaceName": "SQLAssessment"
                      },
                      {
                        "name": "[concat('VMInsights', '(', parameters('workspaceName'), ')')]",
                        "marketplaceName": "VMInsights"
                      },
                      {
                        "name": "[concat('ServiceMap', '(', parameters('workspaceName'), ')')]",
                        "marketplaceName": "ServiceMap"
                      },
                      {
                        "name": "[concat('SecurityInsights', '(', parameters('workspaceName'), ')')]",
                        "marketplaceName": "SecurityInsights"
                      }
                    ]
                  }
                },
                "resources": [
                  {
                    "apiVersion": "2015-11-01-preview",
                    "type": "Microsoft.OperationalInsights/workspaces/datasources",
                    "name": "[concat(parameters('workspaceName'), '/LinuxPerfCollection')]",
                    "kind": "LinuxPerformanceCollection",
                    "properties": {
                      "state": "Enabled"
                    }
                  },
                  {
                    "apiVersion": "2015-11-01-preview",
                    "type": "Microsoft.OperationalInsights/workspaces/dataSources",
                    "name": "[concat(parameters('workspaceName'), '/', variables('vmInsightsPerfCounters').linuxDiskObject.armResourceName)]",
                    "kind": "LinuxPerformanceObject",
                    "properties": {
                      "performanceCounters": "[variables('vmInsightsPerfCounters').linuxDiskArray]",
                      "objectName": "[variables('vmInsightsPerfCounters').linuxDiskObject.objectName]",
                      "instanceName": "[variables('vmInsightsPerfCounters').linuxDiskObject.instanceName]",
                      "intervalSeconds": "[variables('vmInsightsPerfCounters').linuxDiskObject.intervalSeconds]"
                    }
                  },
                  {
                    "apiVersion": "2015-11-01-preview",
                    "type": "Microsoft.OperationalInsights/workspaces/dataSources",
                    "name": "[concat(parameters('workspaceName'), '/', variables('vmInsightsPerfCounters').linuxMemoryObject.armResourceName)]",
                    "kind": "LinuxPerformanceObject",
                    "properties": {
                      "performanceCounters": "[variables('vmInsightsPerfCounters').linuxMemoryArray]",
                      "objectName": "[variables('vmInsightsPerfCounters').linuxMemoryObject.objectName]",
                      "instanceName": "[variables('vmInsightsPerfCounters').linuxMemoryObject.instanceName]",
                      "intervalSeconds": "[variables('vmInsightsPerfCounters').linuxMemoryObject.intervalSeconds]"
                    }
                  },
                  {
                    "apiVersion": "2015-11-01-preview",
                    "type": "Microsoft.OperationalInsights/workspaces/dataSources",
                    "name": "[concat(parameters('workspaceName'), '/', variables('vmInsightsPerfCounters').linuxCpuObject.armResourceName)]",
                    "kind": "LinuxPerformanceObject",
                    "properties": {
                      "performanceCounters": "[variables('vmInsightsPerfCounters').linuxCpuArray]",
                      "objectName": "[variables('vmInsightsPerfCounters').linuxCpuObject.objectName]",
                      "instanceName": "[variables('vmInsightsPerfCounters').linuxCpuObject.instanceName]",
                      "intervalSeconds": "[variables('vmInsightsPerfCounters').linuxCpuObject.intervalSeconds]"
                    }
                  },
                  {
                    "apiVersion": "2015-11-01-preview",
                    "type": "Microsoft.OperationalInsights/workspaces/dataSources",
                    "name": "[concat(parameters('workspaceName'), '/', variables('vmInsightsPerfCounters').linuxNetworkObject.armResourceName)]",
                    "kind": "LinuxPerformanceObject",
                    "properties": {
                      "performanceCounters": "[variables('vmInsightsPerfCounters').linuxNetworkArray]",
                      "objectName": "[variables('vmInsightsPerfCounters').linuxNetworkObject.objectName]",
                      "instanceName": "[variables('vmInsightsPerfCounters').linuxNetworkObject.instanceName]",
                      "intervalSeconds": "[variables('vmInsightsPerfCounters').linuxNetworkObject.intervalSeconds]"
                    }
                  },
                  {
                    "apiVersion": "2015-11-01-preview",
                    "type": "Microsoft.OperationalInsights/workspaces/dataSources",
                    "name": "[concat(parameters('workspaceName'), '/', variables('vmInsightsPerfCounters').windowsArray[copyIndex()].armName)]",
                    "kind": "WindowsPerformanceCounter",
                    "copy": {
                      "name": "counterCopy",
                      "count": "[length(variables('vmInsightsPerfCounters').windowsArray)]"
                    },
                    "properties": {
                      "objectName": "[variables('vmInsightsPerfCounters').windowsArray[copyIndex()].objectName]",
                      "instanceName": "[variables('vmInsightsPerfCounters').windowsArray[copyIndex()].instanceName]",
                      "intervalSeconds": "[variables('vmInsightsPerfCounters').windowsArray[copyIndex()].intervalSeconds]",
                      "counterName": "[variables('vmInsightsPerfCounters').windowsArray[copyIndex()].counterName]"
                    }
                  },
                  {
                    "apiVersion": "2015-11-01-preview",
                    "type": "Microsoft.OperationsManagement/solutions",
                    "name": "[concat(variables('batch1').solutions[copyIndex()].Name)]",
                    "location": "[parameters('workspaceRegion')]",
                    "copy": {
                      "name": "solutionCopy",
                      "count": "[length(variables('batch1').solutions)]"
                    },
                    "properties": {
                      "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
                    },
                    "plan": {
                      "name": "[variables('batch1').solutions[copyIndex()].name]",
                      "product": "[concat('OMSGallery/', variables('batch1').solutions[copyIndex()].marketplaceName)]",
                      "promotionCode": "",
                      "publisher": "Microsoft"
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-LA-Config",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-LA-Config"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.1"
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imagePublisher",
                "in": [
                  "microsoft-aks",
                  "qubole-inc",
                  "datastax",
                  "couchbase",
                  "scalegrid",
                  "checkpoint",
                  "paloaltonetworks",
                  "debian"
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "CentOS*"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Oracle"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Oracle-Linux"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-HA",
                      "RHEL-SAP",
                      "RHEL-SAP-APPS",
                      "RHEL-SAP-HA",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "osa",
                      "rhel-byos"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "center-for-internet-security-inc"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "cis-centos-7-l1",
                      "cis-centos-7-v2-1-1-l1",
                      "cis-centos-8-l1",
                      "cis-debian-linux-8-l1",
                      "cis-debian-linux-9-l1",
                      "cis-nginx-centos-7-v1-1-0-l1",
                      "cis-oracle-linux-7-v2-0-0-l1",
                      "cis-oracle-linux-8-l1",
                      "cis-postgresql-11-centos-linux-7-level-1",
                      "cis-rhel-7-l2",
                      "cis-rhel-7-v2-2-0-l1",
                      "cis-rhel-8-l1",
                      "cis-suse-linux-12-v2-0-0-l1",
                      "cis-ubuntu-linux-1604-v1-0-0-l1",
                      "cis-ubuntu-linux-1804-l1"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "credativ"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Debian"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "7*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Suse"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "SLES*"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "11*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "12*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-dsvm"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "linux-data-science-vm-ubuntu",
                      "azureml"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-altus-centos-os"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "linux*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                        "exists": "true"
                      },
                      {
                        "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                        "like": "Linux*"
                      }
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "exists": "false"
                      },
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "notIn": [
                          "OpenLogic",
                          "RedHat",
                          "credativ",
                          "Suse",
                          "Canonical",
                          "microsoft-dsvm",
                          "cloudera",
                          "microsoft-ads",
                          "center-for-internet-security-inc",
                          "Oracle"
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "name": "AzurePolicyforLinux",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.GuestConfiguration"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "ConfigurationforLinux"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforLinux')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforLinux",
                      "typeHandlerVersion": "1.0",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "331e8ea8-378a-410f-a2e5-ae22f38bb0da"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a true 16 IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), Deploy prerequisites to enable Guest Configuration policies on virtual machines (/providers/microsoft.authorization/policysetdefinitions/12794019-7a00-42cf-95c2-882eed337cc8), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy the Log Analytics in the subscription",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys Log Analytics and Automation account to the subscription where the policy is assigned.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.3910318Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "workspaceName": {
        "type": "String",
        "metadata": {
          "displayName": "workspaceName",
          "description": "Provide name for log analytics workspace"
        }
      },
      "automationAccountName": {
        "type": "String",
        "metadata": {
          "displayName": "automationAccountName",
          "description": "Provide name for automation account"
        }
      },
      "workspaceRegion": {
        "type": "String",
        "metadata": {
          "displayName": "workspaceRegion",
          "description": "Select Azure region for Log Analytics"
        }
      },
      "automationRegion": {
        "type": "String",
        "metadata": {
          "displayName": "automationRegion",
          "description": "Select Azure region for Automation account"
        }
      },
      "retentionInDays": {
        "type": "String",
        "metadata": {
          "displayName": "Data retention",
          "description": "Select data retention (days) for Log Analytics."
        },
        "defaultValue": "30"
      },
      "rgName": {
        "type": "String",
        "metadata": {
          "displayName": "rgName",
          "description": "Provide name for resource group."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.OperationalInsights/workspaces",
          "deploymentScope": "Subscription",
          "existenceScope": "Subscription",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "name",
                "like": "[parameters('workspaceName')]"
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "rgName": {
                  "value": "[parameters('rgName')]"
                },
                "retentionInDays": {
                  "value": "[parameters('retentionInDays')]"
                },
                "workspaceName": {
                  "value": "[parameters('workspaceName')]"
                },
                "workspaceRegion": {
                  "value": "[parameters('workspaceRegion')]"
                },
                "automationAccountName": {
                  "value": "[parameters('automationAccountName')]"
                },
                "automationRegion": {
                  "value": "[parameters('automationRegion')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "rgName": {
                    "type": "string"
                  },
                  "workspaceName": {
                    "type": "string"
                  },
                  "workspaceRegion": {
                    "type": "string"
                  },
                  "automationAccountName": {
                    "type": "string"
                  },
                  "automationRegion": {
                    "type": "string"
                  },
                  "retentionInDays": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2018-05-01",
                    "name": "[parameters('rgName')]",
                    "location": "[deployment().location]",
                    "properties": {}
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2018-05-01",
                    "name": "log-analytics",
                    "resourceGroup": "[parameters('rgName')]",
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "apiversion": "2015-10-31",
                            "location": "[parameters('AutomationRegion')]",
                            "name": "[parameters('AutomationAccountName')]",
                            "type": "Microsoft.Automation/automationAccounts",
                            "comments": "Automation account for ",
                            "properties": {
                              "sku": {
                                "name": "OMS"
                              }
                            }
                          },
                          {
                            "apiVersion": "2017-03-15-preview",
                            "location": "[parameters('workspaceRegion')]",
                            "name": "[parameters('workspaceName')]",
                            "type": "Microsoft.OperationalInsights/workspaces",
                            "properties": {
                              "sku": {
                                "name": "pernode"
                              },
                              "enableLogAccessUsingOnlyResourcePermissions": true,
                              "retentionInDays": "[int(parameters('retentionInDays'))]"
                            },
                            "resources": [
                              {
                                "name": "Automation",
                                "type": "linkedServices",
                                "apiVersion": "2015-11-01-preview",
                                "dependsOn": [
                                  "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]",
                                  "[resourceId('Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]"
                                ],
                                "properties": {
                                  "resourceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]"
                                }
                              }
                            ]
                          }
                        ],
                        "outputs": {}
                      }
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Log-Analytics",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Log-Analytics"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists true 1 /providers/microsoft.management/managementgroups/esjh-management/providers/microsoft.authorization/policyassignments/deploy-log-analytics (Deploy-Log-Analytics) false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploy the Virtual WAN in the specific region",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploy the Virtual WAN in the specific region.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4945187Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "vwanname": {
        "type": "String",
        "metadata": {
          "displayName": "vwanname",
          "description": "Name of the Virtual WAN"
        }
      },
      "vwanRegion": {
        "type": "String",
        "metadata": {
          "displayName": "vwanRegion",
          "description": "Select Azure region for Virtual WAN",
          "strongType": "location"
        }
      },
      "rgName": {
        "type": "String",
        "metadata": {
          "displayName": "rgName",
          "description": "Provide name for resource group."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/virtualWans",
          "deploymentScope": "Subscription",
          "existenceScope": "ResourceGroup",
          "name": "[parameters('vwanname')]",
          "resourceGroupName": "[parameters('rgName')]",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "rgName": {
                  "value": "[parameters('rgName')]"
                },
                "vwanname": {
                  "value": "[parameters('vwanname')]"
                },
                "vwanRegion": {
                  "value": "[parameters('vwanRegion')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "rgName": {
                    "type": "string"
                  },
                  "vwanname": {
                    "type": "string"
                  },
                  "vwanRegion": {
                    "type": "string"
                  }
                },
                "variables": {
                  "vwansku": "Standard"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2018-05-01",
                    "name": "[parameters('rgName')]",
                    "location": "[deployment().location]",
                    "properties": {}
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2018-05-01",
                    "name": "vwan",
                    "resourceGroup": "[parameters('rgName')]",
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "resources": [
                          {
                            "type": "Microsoft.Network/virtualWans",
                            "apiVersion": "2020-05-01",
                            "location": "[parameters('vwanRegion')]",
                            "name": "[parameters('vwanname')]",
                            "properties": {
                              "virtualHubs": [],
                              "vpnSites": [],
                              "type": "[variables('vwansku')]"
                            }
                          }
                        ],
                        "outputs": {}
                      }
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-vWAN",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-vWAN"
}
Custom Network False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.1"
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imagePublisher",
                "in": [
                  "esri",
                  "incredibuild",
                  "MicrosoftDynamicsAX",
                  "MicrosoftSharepoint",
                  "MicrosoftVisualStudio",
                  "MicrosoftWindowsDesktop",
                  "MicrosoftWindowsServerHPCPack"
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "2008*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "notLike": "SQL2008*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-dsvm"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "dsvm-windows"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "standard-data-science-vm",
                      "windows-data-science-vm"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "batch"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "rendering-windows2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "center-for-internet-security-inc"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "cis-windows-server-201*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "pivotal"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "bosh-windows-server*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloud-infrastructure-services"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "ad*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                        "exists": "true"
                      },
                      {
                        "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                        "like": "Windows*"
                      }
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "exists": "false"
                      },
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "notLike": "2008*"
                          },
                          {
                            "field": "Microsoft.Compute/imageOffer",
                            "notLike": "SQL2008*"
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "name": "AzurePolicyforWindows",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.GuestConfiguration"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "ConfigurationforWindows"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "apiVersion": "2019-07-01",
                    "name": "[concat(parameters('vmName'), '/AzurePolicyforWindows')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.GuestConfiguration",
                      "type": "ConfigurationforWindows",
                      "typeHandlerVersion": "1.1",
                      "autoUpgradeMinorVersion": true,
                      "settings": {},
                      "protectedSettings": {}
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "385f5831-96d4-41db-9a3c-cd3af78aaae6"
}
BuiltIn Guest Configuration False False n/a n/a n/a false 0 n/a true 19 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), Deploy prerequisites to enable Guest Configuration policies on virtual machines (/providers/microsoft.authorization/policysetdefinitions/12794019-7a00-42cf-95c2-882eed337cc8), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Virtual Hub network with Virtual Wan and Gateway and Firewall configured.",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploy Virtual Hub network with Virtual Wan and Gateway and Firewall configured in the desired region. ",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4945673Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "vwanname": {
        "type": "String",
        "metadata": {
          "displayName": "vwanname",
          "description": "Name of the Virtual WAN"
        }
      },
      "vHubName": {
        "type": "String",
        "metadata": {
          "displayName": "vHubName",
          "description": "Name of the vHUB"
        },
        "defaultValue": ""
      },
      "vHUB": {
        "type": "Object",
        "metadata": {
          "displayName": "vHUB",
          "description": "Object describing Virtual WAN vHUB"
        }
      },
      "vpngw": {
        "type": "Object",
        "metadata": {
          "displayName": "vpngw",
          "description": "Object describing VPN gateway"
        },
        "defaultValue": {}
      },
      "ergw": {
        "type": "Object",
        "metadata": {
          "displayName": "ergw",
          "description": "Object describing ExpressRoute gateway"
        },
        "defaultValue": {}
      },
      "azfw": {
        "type": "Object",
        "metadata": {
          "displayName": "azfw",
          "description": "Object describing the Azure Firewall in vHUB"
        },
        "defaultValue": {}
      },
      "rgName": {
        "type": "String",
        "metadata": {
          "displayName": "rgName",
          "description": "Provide name for resource group."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/virtualHubs",
          "name": "[parameters('vHubName')]",
          "deploymentScope": "Subscription",
          "existenceScope": "ResourceGroup",
          "ResourceGroupName": "[parameters('rgName')]",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "rgName": {
                  "value": "[parameters('rgName')]"
                },
                "vwanname": {
                  "value": "[parameters('vwanname')]"
                },
                "vHUB": {
                  "value": "[parameters('vHUB')]"
                },
                "vpngw": {
                  "value": "[parameters('vpngw')]"
                },
                "ergw": {
                  "value": "[parameters('ergw')]"
                },
                "azfw": {
                  "value": "[parameters('azfw')]"
                },
                "vHUBName": {
                  "value": "[parameters('vHUBName')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vwanname": {
                    "type": "string",
                    "metadata": {
                      "description": "Name of the Virtual WAN"
                    }
                  },
                  "vHUB": {
                    "type": "object",
                    "metadata": {
                      "description": "Object describing Virtual WAN vHUB"
                    }
                  },
                  "vpngw": {
                    "type": "object",
                    "defaultValue": {},
                    "metadata": {
                      "description": "Object describing VPN gateway"
                    }
                  },
                  "ergw": {
                    "type": "object",
                    "defaultValue": {},
                    "metadata": {
                      "description": "Object describing ExpressRoute gateway"
                    }
                  },
                  "azfw": {
                    "type": "object",
                    "defaultValue": {},
                    "metadata": {
                      "description": "Object describing the Azure Firewall in vHUB"
                    }
                  },
                  "rgName": {
                    "type": "String",
                    "metadata": {
                      "displayName": "rgName",
                      "description": "Provide name for resource group."
                    }
                  },
                  "vHUBName": {
                    "type": "String",
                    "metadata": {
                      "displayName": "vHUBName",
                      "description": "Name of the vHUB"
                    }
                  }
                },
                "variables": {
                  "vhubsku": "Standard",
                  "vwanresourceid": "[concat(subscription().id,'/resourceGroups/',parameters('rgName'),'/providers/Microsoft.Network/virtualWans/',parameters('vwanname'))]",
                  "vwanhub": "[concat(subscription().id,'/resourceGroups/',parameters('rgName'),'/providers/Microsoft.Network/virtualHubs/',parameters('vHUBName'))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2018-05-01",
                    "name": "[parameters('rgName')]",
                    "location": "[deployment().location]",
                    "properties": {}
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2018-05-01",
                    "name": "[concat('vHUBdeploy-',parameters('vHUB').location)]",
                    "resourceGroup": "[parameters('rgName')]",
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "type": "Microsoft.Network/virtualHubs",
                            "apiVersion": "2020-05-01",
                            "location": "[parameters('vHUB').location]",
                            "name": "[parameters('vHUBname')]",
                            "properties": {
                              "virtualWan": {
                                "id": "[variables('vwanresourceid')]"
                              },
                              "addressPrefix": "[parameters('vHUB').addressPrefix]",
                              "sku": "[variables('vhubsku')]"
                            }
                          }
                        ]
                      }
                    }
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2018-05-01",
                    "condition": "[greater(length(parameters('vpngw')),0)]",
                    "resourceGroup": "[parameters('rgName')]",
                    "dependsOn": [
                      "[concat('vHUBdeploy-',parameters('vHUB').location)]"
                    ],
                    "name": "[concat(parameters('vHUBName'),'-vpngw')]",
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "type": "Microsoft.Network/vpnGateways",
                            "apiVersion": "2020-05-01",
                            "location": "[parameters('vHUB').location]",
                            "name": "[parameters('vpngw').name]",
                            "properties": {
                              "virtualHub": {
                                "id": "[variables('vwanhub')]"
                              },
                              "bgpSettings": "[parameters('vpngw').bgpSettings]",
                              "vpnGatewayScaleUnit": "[parameters('vpngw').vpnGatewayScaleUnit]"
                            }
                          }
                        ]
                      }
                    }
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2018-05-01",
                    "condition": "[greater(length(parameters('ergw')),0)]",
                    "resourceGroup": "[parameters('rgName')]",
                    "dependsOn": [
                      "[concat('vHUBdeploy-',parameters('vHUB').location)]"
                    ],
                    "name": "[concat(parameters('vHUBName'),'-ergw')]",
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "type": "Microsoft.Network/expressRouteGateways",
                            "apiVersion": "2020-05-01",
                            "location": "[parameters('vHUB').location]",
                            "name": "[parameters('ergw').name]",
                            "properties": {
                              "virtualHub": {
                                "id": "[variables('vwanhub')]"
                              },
                              "autoScaleConfiguration": "[parameters('ergw').autoScaleConfiguration]"
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-vHUB",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-vHUB"
}
Custom Network False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Deploy Virtual Network to be used as hub virtual network in desired region",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys Virtual Network to be used as hub virtual network in desired region in the subscription where this policy is assigned.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.3758037Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "hubName": {
        "type": "String",
        "metadata": {
          "displayName": "hubName",
          "description": "Name of the Hub"
        }
      },
      "HUB": {
        "type": "Object",
        "metadata": {
          "displayName": "HUB",
          "description": "Object describing HUB"
        }
      },
      "vpngw": {
        "type": "Object",
        "metadata": {
          "displayName": "vpngw",
          "description": "Object describing VPN gateway"
        },
        "defaultValue": {}
      },
      "ergw": {
        "type": "Object",
        "metadata": {
          "displayName": "ergw",
          "description": "Object describing ExpressRoute gateway"
        },
        "defaultValue": {}
      },
      "azfw": {
        "type": "Object",
        "metadata": {
          "displayName": "ergw",
          "description": "Object describing ExpressRoute gateway"
        },
        "defaultValue": {}
      },
      "rgName": {
        "type": "String",
        "metadata": {
          "displayName": "rgName",
          "description": "Provide name for resource group."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/virtualNetworks",
          "name": "[parameters('hubName')]",
          "deploymentScope": "Subscription",
          "existenceScope": "ResourceGroup",
          "ResourceGroupName": "[parameters('rgName')]",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "rgName": {
                  "value": "[parameters('rgName')]"
                },
                "hubName": {
                  "value": "[parameters('hubName')]"
                },
                "HUB": {
                  "value": "[parameters('HUB')]"
                },
                "vpngw": {
                  "value": "[parameters('vpngw')]"
                },
                "ergw": {
                  "value": "[parameters('ergw')]"
                },
                "azfw": {
                  "value": "[parameters('azfw')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "hubName": {
                    "type": "string",
                    "metadata": {
                      "description": "Name of the HUB"
                    }
                  },
                  "HUB": {
                    "type": "object",
                    "metadata": {
                      "description": "Object describing HUB"
                    }
                  },
                  "vpngw": {
                    "type": "object",
                    "defaultValue": {},
                    "metadata": {
                      "description": "Object describing VPN gateway"
                    }
                  },
                  "ergw": {
                    "type": "object",
                    "defaultValue": {},
                    "metadata": {
                      "description": "Object describing ExpressRoute gateway"
                    }
                  },
                  "azfw": {
                    "type": "object",
                    "defaultValue": {},
                    "metadata": {
                      "description": "Object describing the Azure Firewall"
                    }
                  },
                  "rgName": {
                    "type": "String",
                    "metadata": {
                      "displayName": "rgName",
                      "description": "Provide name for resource group."
                    }
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2020-06-01",
                    "name": "[parameters('rgName')]",
                    "location": "[deployment().location]",
                    "properties": {}
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2020-06-01",
                    "name": "[concat(parameters('hubName'),'-', parameters('HUB').location)]",
                    "resourceGroup": "[parameters('rgName')]",
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https: //schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "name": "[parameters('hubName')]",
                            "type": "Microsoft.Network/virtualNetworks",
                            "apiVersion": "2020-04-01",
                            "location": "[parameters('HUB').location]",
                            "properties": {
                              "addressSpace": {
                                "addressPrefixes": [
                                  "[parameters('HUB').addressPrefix]"
                                ]
                              },
                              "subnets": [
                                {
                                  "name": "Infrastructure",
                                  "properties": {
                                    "addressPrefix": "[if(not(empty(parameters('HUB').subnets.infra)),parameters('HUB').subnets.infra, json('null'))]"
                                  }
                                },
                                {
                                  "name": "AzureFirewallSubnet",
                                  "properties": {
                                    "addressPrefix": "[if(not(empty(parameters('HUB').subnets.azfw)),parameters('HUB').subnets.azfw, json('null'))]"
                                  }
                                },
                                {
                                  "name": "GatewaySubnet",
                                  "properties": {
                                    "addressPrefix": "[if(not(empty(parameters('HUB').subnets.gw)),parameters('HUB').subnets.gw, json('null'))]"
                                  }
                                }
                              ]
                            }
                          }
                        ]
                      }
                    }
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2020-06-01",
                    "condition": "[greater(length(parameters('vpngw')),0)]",
                    "resourceGroup": "[parameters('rgName')]",
                    "dependsOn": [
                      "[concat(parameters('hubName'),'-', parameters('HUB').location)]"
                    ],
                    "name": "[concat(parameters('hubName'),'-vpngw')]",
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "apiVersion": "2020-05-01",
                            "type": "Microsoft.Network/publicIpAddresses",
                            "location": "[parameters('HUB').location]",
                            "name": "[concat(parameters('vpngw').name,'-pip')]",
                            "properties": {
                              "publicIPAllocationMethod": "Dynamic"
                            },
                            "tags": {}
                          },
                          {
                            "apiVersion": "2020-05-01",
                            "name": "[parameters('vpngw').name]",
                            "type": "Microsoft.Network/virtualNetworkGateways",
                            "location": "[parameters('HUB').location]",
                            "dependsOn": [
                              "[concat('Microsoft.Network/publicIPAddresses/', parameters('vpngw').name,'-pip')]"
                            ],
                            "tags": {},
                            "properties": {
                              "gatewayType": "Vpn",
                              "vpnType": "[parameters('vpngw').vpnType]",
                              "ipConfigurations": [
                                {
                                  "name": "default",
                                  "properties": {
                                    "privateIPAllocationMethod": "Dynamic",
                                    "subnet": {
                                      "id": "[concat(subscription().id,'/resourceGroups/',parameters('rgName'), '/providers','/Microsoft.Network/virtualNetworks/', parameters('hubName'),'/subnets/GatewaySubnet')]"
                                    },
                                    "publicIpAddress": {
                                      "id": "[concat(subscription().id,'/resourceGroups/',parameters('rgName'), '/providers','/Microsoft.Network/publicIPAddresses/', parameters('vpngw').name,'-pip')]"
                                    }
                                  }
                                }
                              ],
                              "sku": {
                                "name": "[parameters('vpngw').sku]",
                                "tier": "[parameters('vpngw').sku]"
                              }
                            }
                          }
                        ]
                      }
                    }
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2020-06-01",
                    "condition": "[greater(length(parameters('ergw')),0)]",
                    "resourceGroup": "[parameters('rgName')]",
                    "dependsOn": [
                      "[concat(parameters('hubName'),'-', parameters('HUB').location)]"
                    ],
                    "name": "[concat(parameters('hubName'),'-ergw')]",
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "apiVersion": "2020-05-01",
                            "type": "Microsoft.Network/publicIpAddresses",
                            "location": "[parameters('HUB').location]",
                            "name": "[concat(parameters('ergw').name,'-pip')]",
                            "properties": {
                              "publicIPAllocationMethod": "Dynamic"
                            },
                            "tags": {}
                          },
                          {
                            "apiVersion": "2020-05-01",
                            "name": "[parameters('ergw').name]",
                            "type": "Microsoft.Network/virtualNetworkGateways",
                            "location": "[parameters('HUB').location]",
                            "dependsOn": [
                              "[concat('Microsoft.Network/publicIPAddresses/', parameters('ergw').name,'-pip')]"
                            ],
                            "tags": {},
                            "properties": {
                              "gatewayType": "ExpressRoute",
                              "ipConfigurations": [
                                {
                                  "name": "default",
                                  "properties": {
                                    "privateIPAllocationMethod": "Dynamic",
                                    "subnet": {
                                      "id": "[concat(subscription().id,'/resourceGroups/',parameters('rgName'), '/providers','/Microsoft.Network/virtualNetworks/', parameters('hubName'),'/subnets/GatewaySubnet')]"
                                    },
                                    "publicIpAddress": {
                                      "id": "[concat(subscription().id,'/resourceGroups/',parameters('rgName'), '/providers','/Microsoft.Network/publicIPAddresses/', parameters('ergw').name,'-pip')]"
                                    }
                                  }
                                }
                              ],
                              "sku": {
                                "name": "[parameters('ergw').sku]",
                                "tier": "[parameters('ergw').sku]"
                              }
                            }
                          }
                        ]
                      }
                    }
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2020-06-01",
                    "condition": "[greater(length(parameters('azfw')),0)]",
                    "name": "[concat(parameters('hubName'),'-azfw')]",
                    "resourceGroup": "[parameters('rgName')]",
                    "dependsOn": [
                      "[concat(parameters('hubName'),'-', parameters('HUB').location)]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "apiVersion": "2020-05-01",
                            "type": "Microsoft.Network/publicIpAddresses",
                            "name": "[concat(parameters('azfw').name,'-pip')]",
                            "location": "[parameters('azfw').location]",
                            "sku": {
                              "name": "Standard"
                            },
                            "zones": "[if(contains(parameters('azfw'),'pipZones'),parameters('azfw').pipZones,json('null'))]",
                            "properties": {
                              "publicIPAllocationMethod": "Static"
                            },
                            "tags": {}
                          },
                          {
                            "apiVersion": "2020-05-01",
                            "type": "Microsoft.Network/azureFirewalls",
                            "name": "[parameters('azfw').name]",
                            "location": "[parameters('azfw').location]",
                            "zones": "[if(contains(parameters('azfw'),'fwZones'),parameters('azfw').fwZones,json('null'))]",
                            "dependsOn": [
                              "[concat(parameters('azfw').name,'-pip')]"
                            ],
                            "properties": {
                              "threatIntelMode": "[parameters('azfw').threatIntelMode]",
                              "additionalProperties": "[if(contains(parameters('azfw'),'additionalProperties'),parameters('azfw').additionalProperties,json('null'))]",
                              "sku": "[if(contains(parameters('azfw'),'sku'),parameters('azfw').sku,json('null'))]",
                              "ipConfigurations": [
                                {
                                  "name": "[concat(parameters('azfw').name,'-pip')]",
                                  "properties": {
                                    "subnet": {
                                      "id": "[concat(subscription().id,'/resourceGroups/',parameters('rgName'), '/providers','/Microsoft.Network/virtualNetworks/', parameters('hubName'),'/subnets/AzureFirewallSubnet')]"
                                    },
                                    "publicIPAddress": {
                                      "id": "[concat(subscription().id,'/resourceGroups/',parameters('rgName'), '/providers','/Microsoft.Network/publicIPAddresses/', parameters('azfw').name,'-pip')]"
                                    }
                                  }
                                }
                              ],
                              "firewallPolicy": "[if(contains(parameters('azfw'),'firewallPolicy'),parameters('azfw').firewallPolicy,json('null'))]"
                            },
                            "tags": {}
                          }
                        ]
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-HUB",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-HUB"
}
Custom Network False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Deploy Windows Domain Join Extension with keyvault configuration",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine",
    "metadata": {
      "version": "1.0.0",
      "category": "Guest Configuration",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5257789Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "domainUsername": {
        "type": "String",
        "metadata": {
          "displayName": "domainUsername",
          "description": null
        }
      },
      "domainPassword": {
        "type": "String",
        "metadata": {
          "displayName": "domainPassword",
          "description": null
        }
      },
      "domainFQDN": {
        "type": "String",
        "metadata": {
          "displayName": "domainFQDN",
          "description": null
        }
      },
      "domainOUPath": {
        "type": "String",
        "metadata": {
          "displayName": "domainOUPath",
          "description": null
        }
      },
      "keyVaultResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "keyVaultResourceId",
          "description": null
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/imagePublisher",
            "equals": "MicrosoftWindowsServer"
          },
          {
            "field": "Microsoft.Compute/imageOffer",
            "equals": "WindowsServer"
          },
          {
            "field": "Microsoft.Compute/imageSKU",
            "in": [
              "2008-R2-SP1",
              "2008-R2-SP1-smalldisk",
              "2008-R2-SP1-zhcn",
              "2012-Datacenter",
              "2012-datacenter-gensecond",
              "2012-Datacenter-smalldisk",
              "2012-datacenter-smalldisk-g2",
              "2012-Datacenter-zhcn",
              "2012-datacenter-zhcn-g2",
              "2012-R2-Datacenter",
              "2012-r2-datacenter-gensecond",
              "2012-R2-Datacenter-smalldisk",
              "2012-r2-datacenter-smalldisk-g2",
              "2012-R2-Datacenter-zhcn",
              "2012-r2-datacenter-zhcn-g2",
              "2016-Datacenter",
              "2016-datacenter-gensecond",
              "2016-datacenter-gs",
              "2016-Datacenter-Server-Core",
              "2016-datacenter-server-core-g2",
              "2016-Datacenter-Server-Core-smalldisk",
              "2016-datacenter-server-core-smalldisk-g2",
              "2016-Datacenter-smalldisk",
              "2016-datacenter-smalldisk-g2",
              "2016-Datacenter-with-Containers",
              "2016-datacenter-with-containers-g2",
              "2016-Datacenter-with-RDSH",
              "2016-Datacenter-zhcn",
              "2016-datacenter-zhcn-g2",
              "2019-Datacenter",
              "2019-Datacenter-Core",
              "2019-datacenter-core-g2",
              "2019-Datacenter-Core-smalldisk",
              "2019-datacenter-core-smalldisk-g2",
              "2019-Datacenter-Core-with-Containers",
              "2019-datacenter-core-with-containers-g2",
              "2019-Datacenter-Core-with-Containers-smalldisk",
              "2019-datacenter-core-with-containers-smalldisk-g2",
              "2019-datacenter-gensecond",
              "2019-datacenter-gs",
              "2019-Datacenter-smalldisk",
              "2019-datacenter-smalldisk-g2",
              "2019-Datacenter-with-Containers",
              "2019-datacenter-with-containers-g2",
              "2019-Datacenter-with-Containers-smalldisk",
              "2019-datacenter-with-containers-smalldisk-g2",
              "2019-Datacenter-zhcn",
              "2019-datacenter-zhcn-g2",
              "Datacenter-Core-1803-with-Containers-smalldisk",
              "datacenter-core-1803-with-containers-smalldisk-g2",
              "Datacenter-Core-1809-with-Containers-smalldisk",
              "datacenter-core-1809-with-containers-smalldisk-g2",
              "Datacenter-Core-1903-with-Containers-smalldisk",
              "datacenter-core-1903-with-containers-smalldisk-g2",
              "datacenter-core-1909-with-containers-smalldisk",
              "datacenter-core-1909-with-containers-smalldisk-g1",
              "datacenter-core-1909-with-containers-smalldisk-g2"
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "JsonADDomainExtension"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Compute"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "domainUsername": {
                  "reference": {
                    "keyVault": {
                      "id": "[parameters('keyVaultResourceId')]"
                    },
                    "secretName": "[parameters('domainUsername')]"
                  }
                },
                "domainPassword": {
                  "reference": {
                    "keyVault": {
                      "id": "[parameters('keyVaultResourceId')]"
                    },
                    "secretName": "[parameters('domainPassword')]"
                  }
                },
                "domainOUPath": {
                  "value": "[parameters('domainOUPath')]"
                },
                "domainFQDN": {
                  "value": "[parameters('domainFQDN')]"
                },
                "keyVaultResourceId": {
                  "value": "[parameters('keyVaultResourceId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "domainUsername": {
                    "type": "string"
                  },
                  "domainPassword": {
                    "type": "securestring"
                  },
                  "domainFQDN": {
                    "type": "string"
                  },
                  "domainOUPath": {
                    "type": "string"
                  },
                  "keyVaultResourceId": {
                    "type": "string"
                  }
                },
                "variables": {
                  "domainJoinOptions": 3,
                  "vmName": "[parameters('vmName')]"
                },
                "resources": [
                  {
                    "apiVersion": "2015-06-15",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "name": "[concat(variables('vmName'),'/joindomain')]",
                    "location": "[resourceGroup().location]",
                    "properties": {
                      "publisher": "Microsoft.Compute",
                      "type": "JsonADDomainExtension",
                      "typeHandlerVersion": "1.3",
                      "autoUpgradeMinorVersion": true,
                      "settings": {
                        "Name": "[parameters('domainFQDN')]",
                        "User": "[parameters('domainUserName')]",
                        "Restart": "true",
                        "Options": "[variables('domainJoinOptions')]",
                        "OUPath": "[parameters('domainOUPath')]"
                      },
                      "protectedSettings": {
                        "Password": "[parameters('domainPassword')]"
                      }
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Windows-DomainJoin"
}
Custom Guest Configuration False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a false 0 n/a 'Virtual Machine Contributor' (9980e02c-c2be-4d73-94e8-173b1dc7cf3c)
{
  "properties": {
    "displayName": "Deploy Workflow Automation for Azure Security Center alerts",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Enable automation of Azure Security Center alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.",
    "metadata": {
      "version": "4.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "automationName": {
        "type": "String",
        "metadata": {
          "displayName": "Automation name",
          "description": "This is the automation name."
        }
      },
      "resourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group name",
          "description": "The resource group name where the workflow automation is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription."
        }
      },
      "resourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group location",
          "description": "The location where the resource group and the workflow automation are created.",
          "strongType": "location"
        }
      },
      "createResourceGroup": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Create resource group",
          "description": "If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group."
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": true
      },
      "alertName": {
        "type": "String",
        "metadata": {
          "displayName": "Alert name contains",
          "description": "String included in the required alert name. For a full reference list of Security Center's alerts, see https://docs.microsoft.com/azure/security-center/alerts-reference."
        },
        "defaultValue": ""
      },
      "alertSeverities": {
        "type": "Array",
        "metadata": {
          "displayName": "Alert severities",
          "description": "Determines alert severities. Example: High;Medium;Low;"
        },
        "allowedValues": [
          "High",
          "Medium",
          "Low"
        ],
        "defaultValue": [
          "High",
          "Medium",
          "Low"
        ]
      },
      "logicAppResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Logic App",
          "description": "The Logic App that is triggered.",
          "strongType": "Microsoft.Logic/workflows",
          "assignPermissions": true
        }
      },
      "logicAppTrigger": {
        "type": "String",
        "metadata": {
          "displayName": "Logic app trigger",
          "description": "The trigger connector of the logic app that is triggered. Possible values: 'Manual (Incoming HTTP request)', 'When an Azure Security Center Alert is created or triggered'."
        },
        "allowedValues": [
          "Manual (Incoming HTTP request)",
          "When an Azure Security Center Alert is created or triggered"
        ]
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Security/automations",
          "name": "[parameters('automationName')]",
          "existenceScope": "resourcegroup",
          "ResourceGroupName": "[parameters('resourceGroupName')]",
          "deploymentScope": "subscription",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Security/automations/isEnabled",
                "equals": true
              },
              {
                "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                "in": "[union(parameters('alertSeverities'),if(equals(parameters('alertName'), ''), array('3.'), array(parameters('alertName'))))]"
              },
              {
                "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].propertyJPath",
                "in": "[union(array('Severity'),if(equals(parameters('alertName'), ''), array('Version'), array('AlertDisplayName')))]"
              },
              {
                "count": {
                  "value": "[parameters('alertSeverities')]",
                  "name": "alertSeverity",
                  "where": {
                    "count": {
                      "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*]",
                      "where": {
                        "allOf": [
                          {
                            "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].propertyJPath",
                            "equals": "Severity"
                          },
                          {
                            "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                            "equals": "[current('alertSeverity')]"
                          }
                        ]
                      }
                    },
                    "equals": 1
                  }
                },
                "equals": "[length(parameters('alertSeverities'))]"
              }
            ]
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "automationName": {
                    "type": "string"
                  },
                  "resourceGroupName": {
                    "type": "string"
                  },
                  "resourceGroupLocation": {
                    "type": "string"
                  },
                  "createResourceGroup": {
                    "type": "bool"
                  },
                  "alertName": {
                    "type": "string"
                  },
                  "alertSeverities": {
                    "type": "array"
                  },
                  "logicAppResourceId": {
                    "type": "string"
                  },
                  "logicAppTrigger": {
                    "type": "string"
                  },
                  "guidValue": {
                    "type": "string",
                    "defaultValue": "[newGuid()]"
                  }
                },
                "variables": {
                  "scopeDescription": "scope for subscription {0}",
                  "alertSeveritiesLength": "[length(parameters('alertSeverities'))]",
                  "alertSeveritiesLengthIfEmpty": "[if(equals(variables('alertSeveritiesLength'), 0), 1, variables('alertSeveritiesLength'))]",
                  "severityMap": {
                    "High": "high",
                    "Medium": "medium",
                    "Low": "low"
                  },
                  "triggerMap": {
                    "Manual (Incoming HTTP request)": "manual",
                    "When an Azure Security Center Alert is created or triggered": "When_an_Azure_Security_Center_Alert_is_created_or_triggered"
                  }
                },
                "resources": [
                  {
                    "condition": "[parameters('createResourceGroup')]",
                    "name": "[parameters('resourceGroupName')]",
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2019-10-01",
                    "location": "[parameters('resourceGroupLocation')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "[concat('nestedAutomationDeployment', '_', parameters('guidValue'))]",
                    "resourceGroup": "[parameters('resourceGroupName')]",
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "tags": {},
                            "apiVersion": "2019-01-01-preview",
                            "location": "[parameters('resourceGroupLocation')]",
                            "name": "[parameters('automationName')]",
                            "type": "Microsoft.Security/automations",
                            "dependsOn": [],
                            "properties": {
                              "description": "Workflow Automation for Azure Security Center alerts via policy",
                              "isEnabled": true,
                              "scopes": [
                                {
                                  "description": "[replace(variables('scopeDescription'),'{0}', subscription().subscriptionId)]",
                                  "scopePath": "[subscription().id]"
                                }
                              ],
                              "sources": [
                                {
                                  "eventSource": "Alerts",
                                  "copy": [
                                    {
                                      "name": "ruleSets",
                                      "count": "[variables('alertSeveritiesLengthIfEmpty')]",
                                      "input": {
                                        "rules": [
                                          {
                                            "propertyJPath": "[if(equals(parameters('alertName'), ''), 'Version', 'AlertDisplayName')]",
                                            "propertyType": "string",
                                            "expectedValue": "[if(equals(parameters('alertName'), ''), '3.', parameters('alertName'))]",
                                            "operator": "Contains"
                                          },
                                          {
                                            "propertyJPath": "Severity",
                                            "propertyType": "string",
                                            "expectedValue": "[variables('severityMap')[parameters('alertSeverities')[mod(copyIndex('ruleSets'), variables('alertSeveritiesLengthIfEmpty'))]]]",
                                            "operator": "Equals"
                                          }
                                        ]
                                      }
                                    }
                                  ]
                                }
                              ],
                              "actions": [
                                {
                                  "actionType": "LogicApp",
                                  "logicAppResourceId": "[parameters('logicAppResourceId')]",
                                  "uri": "[listCallbackUrl(concat(parameters('logicAppResourceId'), '/triggers/', variables('triggerMap')[parameters('logicAppTrigger')]),'2016-06-01').value]"
                                }
                              ]
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "automationName": {
                  "value": "[parameters('automationName')]"
                },
                "resourceGroupName": {
                  "value": "[parameters('resourceGroupName')]"
                },
                "resourceGroupLocation": {
                  "value": "[parameters('resourceGroupLocation')]"
                },
                "createResourceGroup": {
                  "value": "[parameters('createResourceGroup')]"
                },
                "alertName": {
                  "value": "[parameters('alertName')]"
                },
                "alertSeverities": {
                  "value": "[parameters('alertSeverities')]"
                },
                "logicAppResourceId": {
                  "value": "[parameters('logicAppResourceId')]"
                },
                "logicAppTrigger": {
                  "value": "[parameters('logicAppTrigger')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f1525828-9a90-4fcf-be48-268cdd02361e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f1525828-9a90-4fcf-be48-268cdd02361e"
}
BuiltIn Security Center False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Workflow Automation for Azure Security Center recommendations",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Enable automation of Azure Security Center recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.",
    "metadata": {
      "version": "4.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "automationName": {
        "type": "String",
        "metadata": {
          "displayName": "Automation name",
          "description": "This is the automation name."
        }
      },
      "resourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group name",
          "description": "The resource group name where the workflow automation is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription."
        }
      },
      "resourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group location",
          "description": "The location where the resource group and the workflow automation are created.",
          "strongType": "location"
        }
      },
      "createResourceGroup": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Create resource group",
          "description": "If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group."
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": true
      },
      "recommendationNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Recommendation IDs",
          "description": "For all recommendations, leave empty. For specific recommendations, enter a list of recommendation IDs separated by semicolons (';'). Recommendation IDs are available through the Assessments API (https://docs.microsoft.com/en-us/rest/api/securitycenter/assessments), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/assessments."
        },
        "defaultValue": []
      },
      "recommendationSeverities": {
        "type": "Array",
        "metadata": {
          "displayName": "Recommendation severities",
          "description": "Determines recommendation severities. Example: High;Medium;Low;"
        },
        "allowedValues": [
          "High",
          "Medium",
          "Low"
        ],
        "defaultValue": [
          "High",
          "Medium",
          "Low"
        ]
      },
      "recommendationStates": {
        "type": "Array",
        "metadata": {
          "displayName": "Recommendation states",
          "description": "Determines recommendation states. Recommendations with unhealthy state require your attention to resolve. When a recommendation state is healthy, it no longer applies to the resource as Security Center detects it as healthy. A recommendation is not-applicable if, for example, it was disabled in the Security Policy. Example: Healthy;Unhealthy;Not Applicable;"
        },
        "allowedValues": [
          "Healthy",
          "Unhealthy",
          "Not Applicable"
        ],
        "defaultValue": [
          "Healthy",
          "Unhealthy",
          "Not Applicable"
        ]
      },
      "logicAppResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Logic App",
          "description": "The Logic App that is triggered.",
          "strongType": "Microsoft.Logic/workflows",
          "assignPermissions": true
        }
      },
      "logicAppTrigger": {
        "type": "String",
        "metadata": {
          "displayName": "Logic app trigger",
          "description": "The trigger connector of the logic app that is triggered. Possible values: 'Manual (Incoming HTTP request)', 'When an Azure Security Center Recommendation is created or triggered'."
        },
        "allowedValues": [
          "Manual (Incoming HTTP request)",
          "When an Azure Security Center Recommendation is created or triggered"
        ]
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Security/automations",
          "name": "[parameters('automationName')]",
          "existenceScope": "resourcegroup",
          "ResourceGroupName": "[parameters('resourceGroupName')]",
          "deploymentScope": "subscription",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Security/automations/isEnabled",
                "equals": true
              },
              {
                "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                "in": "[union(if(equals(length(parameters('recommendationNames')),0),array('Microsoft.Security/assessments'),parameters('recommendationNames')),parameters('recommendationSeverities'),if(contains(parameters('recommendationStates'),'Not Applicable'),union(parameters('recommendationStates'), array('notapplicable')),parameters('recommendationStates')))]"
              },
              {
                "count": {
                  "value": "[parameters('recommendationSeverities')]",
                  "name": "recommendationSeverity",
                  "where": {
                    "count": {
                      "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*]",
                      "where": {
                        "allOf": [
                          {
                            "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].propertyJPath",
                            "equals": "properties.metadata.severity"
                          },
                          {
                            "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                            "equals": "[current('recommendationSeverity')]"
                          }
                        ]
                      }
                    },
                    "equals": "[mul(max(1,length(parameters('recommendationNames'))),length(parameters('recommendationStates')))]"
                  }
                },
                "equals": "[length(parameters('recommendationSeverities'))]"
              },
              {
                "count": {
                  "value": "[parameters('recommendationStates')]",
                  "name": "recommendationState",
                  "where": {
                    "count": {
                      "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*]",
                      "where": {
                        "allOf": [
                          {
                            "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].propertyJPath",
                            "equals": "properties.status.code"
                          },
                          {
                            "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                            "equals": "[replace(current('recommendationState'), ' ','')]"
                          }
                        ]
                      }
                    },
                    "equals": "[mul(max(1,length(parameters('recommendationNames'))),length(parameters('recommendationSeverities')))]"
                  }
                },
                "equals": "[length(parameters('recommendationStates'))]"
              },
              {
                "count": {
                  "value": "[parameters('recommendationNames')]",
                  "name": "recommendationName",
                  "where": {
                    "count": {
                      "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*]",
                      "where": {
                        "allOf": [
                          {
                            "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].propertyJPath",
                            "equals": "name"
                          },
                          {
                            "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                            "equals": "[current('recommendationName')]"
                          }
                        ]
                      }
                    },
                    "equals": "[mul(length(parameters('recommendationSeverities')),length(parameters('recommendationStates')))]"
                  }
                },
                "equals": "[length(parameters('recommendationNames'))]"
              }
            ]
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "automationName": {
                    "type": "string"
                  },
                  "resourceGroupName": {
                    "type": "string"
                  },
                  "resourceGroupLocation": {
                    "type": "string"
                  },
                  "createResourceGroup": {
                    "type": "bool"
                  },
                  "recommendationNames": {
                    "type": "array"
                  },
                  "recommendationSeverities": {
                    "type": "array"
                  },
                  "recommendationStates": {
                    "type": "array"
                  },
                  "logicAppResourceId": {
                    "type": "string"
                  },
                  "logicAppTrigger": {
                    "type": "string"
                  },
                  "guidValue": {
                    "type": "string",
                    "defaultValue": "[newGuid()]"
                  }
                },
                "variables": {
                  "scopeDescription": "scope for subscription {0}",
                  "recommendationNamesLength": "[length(parameters('recommendationNames'))]",
                  "recommendationSeveritiesLength": "[length(parameters('recommendationSeverities'))]",
                  "recommendationStatesLength": "[length(parameters('recommendationStates'))]",
                  "recommendationNamesLengthIfEmpty": "[if(equals(variables('recommendationNamesLength'), 0), 1, variables('recommendationNamesLength'))]",
                  "recommendationSeveritiesLengthIfEmpty": "[if(equals(variables('recommendationSeveritiesLength'), 0), 1, variables('recommendationSeveritiesLength'))]",
                  "recommendationStatesLengthIfEmpty": "[if(equals(variables('recommendationStatesLength'), 0), 1, variables('recommendationStatesLength'))]",
                  "totalRuleCombinationsForOneRecommendationName": "[mul(variables('recommendationSeveritiesLengthIfEmpty'),variables('recommendationStatesLengthIfEmpty'))]",
                  "totalRuleCombinationsForOneRecommendationSeverity": "[variables('recommendationStatesLengthIfEmpty')]",
                  "totalRuleCombinationsForOneRecommendationState": 1,
                  "stateMap": {
                    "Healthy": "healthy",
                    "Unhealthy": "unhealthy",
                    "Not Applicable": "notapplicable"
                  },
                  "triggerMap": {
                    "Manual (Incoming HTTP request)": "manual",
                    "When an Azure Security Center Recommendation is created or triggered": "When_an_Azure_Security_Center_Recommendation_is_created_or_triggered"
                  }
                },
                "resources": [
                  {
                    "condition": "[parameters('createResourceGroup')]",
                    "name": "[parameters('resourceGroupName')]",
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2019-10-01",
                    "location": "[parameters('resourceGroupLocation')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "[concat('nestedAutomationDeployment', '_', parameters('guidValue'))]",
                    "resourceGroup": "[parameters('resourceGroupName')]",
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "tags": {},
                            "apiVersion": "2019-01-01-preview",
                            "location": "[parameters('resourceGroupLocation')]",
                            "name": "[parameters('automationName')]",
                            "type": "Microsoft.Security/automations",
                            "dependsOn": [],
                            "properties": {
                              "description": "Workflow Automation for Azure Security Center recommendations via policy",
                              "isEnabled": true,
                              "scopes": [
                                {
                                  "description": "[replace(variables('scopeDescription'),'{0}', subscription().subscriptionId)]",
                                  "scopePath": "[subscription().id]"
                                }
                              ],
                              "sources": [
                                {
                                  "eventSource": "Assessments",
                                  "copy": [
                                    {
                                      "name": "ruleSets",
                                      "count": "[mul(variables('recommendationNamesLengthIfEmpty'), mul(variables('recommendationSeveritiesLengthIfEmpty'),variables('recommendationStatesLengthIfEmpty')))]",
                                      "input": {
                                        "rules": [
                                          {
                                            "propertyJPath": "[if(equals(variables('recommendationNamesLength'), 0), 'type', 'name')]",
                                            "propertyType": "string",
                                            "expectedValue": "[if(equals(variables('recommendationNamesLength'), 0), 'Microsoft.Security/assessments', parameters('recommendationNames')[mod(div(copyIndex('ruleSets'), variables('totalRuleCombinationsForOneRecommendationName')), variables('recommendationNamesLength'))])]",
                                            "operator": "Contains"
                                          },
                                          {
                                            "propertyJPath": "properties.metadata.severity",
                                            "propertyType": "string",
                                            "expectedValue": "[parameters('recommendationSeverities')[mod(div(copyIndex('ruleSets'), variables('totalRuleCombinationsForOneRecommendationSeverity')), variables('recommendationSeveritiesLength'))]]",
                                            "operator": "Equals"
                                          },
                                          {
                                            "propertyJPath": "properties.status.code",
                                            "propertyType": "string",
                                            "expectedValue": "[variables('stateMap')[parameters('recommendationStates')[mod(div(copyIndex('ruleSets'), variables('totalRuleCombinationsForOneRecommendationState')), variables('recommendationStatesLength'))]]]",
                                            "operator": "Contains"
                                          }
                                        ]
                                      }
                                    }
                                  ]
                                }
                              ],
                              "actions": [
                                {
                                  "actionType": "LogicApp",
                                  "logicAppResourceId": "[parameters('logicAppResourceId')]",
                                  "uri": "[listCallbackUrl(concat(parameters('logicAppResourceId'), '/triggers/', variables('triggerMap')[parameters('logicAppTrigger')]),'2016-06-01').value]"
                                }
                              ]
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "automationName": {
                  "value": "[parameters('automationName')]"
                },
                "resourceGroupName": {
                  "value": "[parameters('resourceGroupName')]"
                },
                "resourceGroupLocation": {
                  "value": "[parameters('resourceGroupLocation')]"
                },
                "createResourceGroup": {
                  "value": "[parameters('createResourceGroup')]"
                },
                "recommendationNames": {
                  "value": "[parameters('recommendationNames')]"
                },
                "recommendationSeverities": {
                  "value": "[parameters('recommendationSeverities')]"
                },
                "recommendationStates": {
                  "value": "[parameters('recommendationStates')]"
                },
                "logicAppResourceId": {
                  "value": "[parameters('logicAppResourceId')]"
                },
                "logicAppTrigger": {
                  "value": "[parameters('logicAppTrigger')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/73d6ab6c-2475-4850-afd6-43795f3492ef",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "73d6ab6c-2475-4850-afd6-43795f3492ef"
}
BuiltIn Security Center False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploy Workflow Automation for Azure Security Center regulatory compliance",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Enable automation of Azure Security Center regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.",
    "metadata": {
      "version": "4.0.0",
      "category": "Security Center",
      "preview ": true
    },
    "parameters": {
      "automationName": {
        "type": "String",
        "metadata": {
          "displayName": "Automation name",
          "description": "This is the automation name."
        }
      },
      "resourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group name",
          "description": "The resource group name where the workflow automation is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription."
        }
      },
      "resourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group location",
          "description": "The location where the resource group and the workflow automation are created.",
          "strongType": "location"
        }
      },
      "createResourceGroup": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Create resource group",
          "description": "If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group."
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": true
      },
      "regulatoryComplianceStandards": {
        "type": "Array",
        "metadata": {
          "displayName": "Compliance standards names",
          "description": "For all compliance standards, leave it empty. For specific compliance standards, enter a list of standards names separated by semicolons (';'). Compliance standards names are available through the regulatory compliance standards API (https://docs.microsoft.com/rest/api/securitycenter/regulatorycompliancestandards), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/regulatorycompliancestandards."
        },
        "defaultValue": []
      },
      "regulatoryComplianceControlStates": {
        "type": "Array",
        "metadata": {
          "displayName": "Compliance control states",
          "description": "Determines compliance control states."
        },
        "allowedValues": [
          "Failed",
          "Passed",
          "Skipped",
          "Unsupported"
        ],
        "defaultValue": [
          "Failed",
          "Passed",
          "Skipped",
          "Unsupported"
        ]
      },
      "logicAppResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Logic App",
          "description": "The Logic App that is triggered.",
          "strongType": "Microsoft.Logic/workflows",
          "assignPermissions": true
        }
      },
      "logicAppTrigger": {
        "type": "String",
        "metadata": {
          "displayName": "Logic app trigger",
          "description": "The trigger connector of the logic app that is triggered. Possible values: 'Manual (Incoming HTTP request)', 'When an Azure Security Center regulatory compliance assessment is created or triggered'."
        },
        "allowedValues": [
          "Manual (Incoming HTTP request)",
          "When an Azure Security Center regulatory compliance assessment is created or triggered"
        ]
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Security/automations",
          "name": "[parameters('automationName')]",
          "existenceScope": "resourcegroup",
          "ResourceGroupName": "[parameters('resourceGroupName')]",
          "deploymentScope": "subscription",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Security/automations/isEnabled",
                "equals": true
              },
              {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Security/automations/sources[*].ruleSets",
                        "exists": false
                      },
                      {
                        "value": "[length(parameters('regulatoryComplianceStandards'))]",
                        "equals": 0
                      },
                      {
                        "value": "[length(parameters('regulatoryComplianceControlStates'))]",
                        "equals": 4
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "value": "[length(parameters('regulatoryComplianceStandards'))]",
                        "equals": 0
                      },
                      {
                        "value": "[length(parameters('regulatoryComplianceControlStates'))]",
                        "less": 4
                      },
                      {
                        "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                        "in": "[parameters('regulatoryComplianceControlStates')]"
                      },
                      {
                        "count": {
                          "value": "[parameters('regulatoryComplianceControlStates')]",
                          "name": "regulatoryComplianceControlState",
                          "where": {
                            "count": {
                              "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*]",
                              "where": {
                                "allOf": [
                                  {
                                    "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].propertyJPath",
                                    "equals": "properties.state"
                                  },
                                  {
                                    "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                                    "equals": "[current('regulatoryComplianceControlState')]"
                                  }
                                ]
                              }
                            },
                            "equals": 1
                          }
                        },
                        "equals": "[length(parameters('regulatoryComplianceControlStates'))]"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "value": "[length(parameters('regulatoryComplianceStandards'))]",
                        "notEquals": 0
                      },
                      {
                        "value": "[length(parameters('regulatoryComplianceControlStates'))]",
                        "equals": 4
                      },
                      {
                        "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                        "in": "[parameters('regulatoryComplianceStandards')]"
                      },
                      {
                        "count": {
                          "value": "[parameters('regulatoryComplianceStandards')]",
                          "name": "regulatoryComplianceStandard",
                          "where": {
                            "count": {
                              "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*]",
                              "where": {
                                "allOf": [
                                  {
                                    "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].propertyJPath",
                                    "equals": "id"
                                  },
                                  {
                                    "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                                    "equals": "[current('regulatoryComplianceStandard')]"
                                  }
                                ]
                              }
                            },
                            "equals": 1
                          }
                        },
                        "equals": "[length(parameters('regulatoryComplianceStandards'))]"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "value": "[length(parameters('regulatoryComplianceStandards'))]",
                        "notEquals": 0
                      },
                      {
                        "value": "[length(parameters('regulatoryComplianceControlStates'))]",
                        "notEquals": 4
                      },
                      {
                        "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                        "in": "[union(parameters('regulatoryComplianceStandards'),parameters('regulatoryComplianceControlStates'))]"
                      },
                      {
                        "count": {
                          "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*]"
                        },
                        "equals": "[mul(2,mul(length(parameters('regulatoryComplianceStandards')),length(parameters('regulatoryComplianceControlStates'))))]"
                      }
                    ]
                  }
                ]
              }
            ]
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "automationName": {
                    "type": "string"
                  },
                  "resourceGroupName": {
                    "type": "string"
                  },
                  "resourceGroupLocation": {
                    "type": "string"
                  },
                  "createResourceGroup": {
                    "type": "bool"
                  },
                  "regulatoryComplianceStandards": {
                    "type": "array"
                  },
                  "regulatoryComplianceControlStates": {
                    "type": "array"
                  },
                  "logicAppResourceId": {
                    "type": "string"
                  },
                  "logicAppTrigger": {
                    "type": "string"
                  },
                  "guidValue": {
                    "type": "string",
                    "defaultValue": "[newGuid()]"
                  }
                },
                "variables": {
                  "scopeDescription": "scope for subscription {0}",
                  "regulatoryComplianceStandardsLength": "[length(parameters('regulatoryComplianceStandards'))]",
                  "regulatoryComplianceControlStatesLength": "[length(parameters('regulatoryComplianceControlStates'))]",
                  "regulatoryComplianceStandardsLengthIfEmpty": "[if(equals(variables('regulatoryComplianceStandardsLength'), 0), 1, variables('regulatoryComplianceStandardsLength'))]",
                  "regulatoryComplianceControlStatesLengthIfEmpty": "[if(equals(variables('regulatoryComplianceControlStatesLength'), 0), 1, variables('regulatoryComplianceControlStatesLength'))]",
                  "stateMap": {
                    "Failed": "failed",
                    "Passed": "passed",
                    "Skipped": "skipped",
                    "Unsupported": "unsupported"
                  },
                  "triggerMap": {
                    "Manual (Incoming HTTP request)": "manual",
                    "When an Azure Security Center regulatory compliance assessment is created or triggered": "When_a_Security_Center_Regulatory_Compliance_Assessment_is_created_or_triggered"
                  },
                  "doesAllStatesSelected": "[if(equals(length(parameters('regulatoryComplianceControlStates')),length(variables('stateMap'))),bool('true'),bool('false'))]",
                  "doesAllStandardsSelected": "[if(equals(variables('regulatoryComplianceStandardsLength'),0),bool('true'),bool('false'))]",
                  "allRegulatoryComplianceRuleSets": [],
                  "customStandardsOrCustomStateRuleSets": {
                    "copy": [
                      {
                        "name": "customStandardsOrCustomStateRuleSetsArr",
                        "count": "[if(not(variables('doesAllStandardsSelected')),variables('regulatoryComplianceStandardsLength'),if(not(variables('doesAllStatesSelected')),variables('regulatoryComplianceControlStatesLength'),1))]",
                        "input": {
                          "rules": [
                            {
                              "propertyJPath": "[if(not(variables('doesAllStandardsSelected')),'id',if(not(variables('doesAllStatesSelected')),'properties.state',json('null')))]",
                              "propertyType": "string",
                              "expectedValue": "[if(not(variables('doesAllStandardsSelected')),parameters('regulatoryComplianceStandards')[copyIndex('customStandardsOrCustomStateRuleSetsArr')],if(not(variables('doesAllStatesSelected')),parameters('regulatoryComplianceControlStates')[copyIndex('customStandardsOrCustomStateRuleSetsArr')],json('null')))]",
                              "operator": "[if(not(variables('doesAllStandardsSelected')),'Contains',if(not(variables('doesAllStatesSelected')),'Equals',json('null')))]"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "customStandardsAndCustomStateRuleSets": {
                    "copy": [
                      {
                        "name": "customStandardsAndCustomStateRuleSetsArr",
                        "count": "[if(and(not(variables('doesAllStandardsSelected')),not(variables('doesAllStatesSelected'))),mul(variables('regulatoryComplianceStandardsLength'),variables('regulatoryComplianceControlStatesLength')),1)]",
                        "input": {
                          "rules": [
                            {
                              "propertyJPath": "id",
                              "propertyType": "string",
                              "expectedValue": "[if(not(variables('doesAllStandardsSelected')),parameters('regulatoryComplianceStandards')[mod(div(copyIndex('customStandardsAndCustomStateRuleSetsArr'), variables('regulatoryComplianceControlStatesLength')), variables('regulatoryComplianceStandardsLength'))],json('null'))]",
                              "operator": "Contains"
                            },
                            {
                              "propertyJPath": "properties.state",
                              "propertyType": "string",
                              "expectedValue": "[if(not(variables('doesAllStatesSelected')),parameters('regulatoryComplianceControlStates')[mod(copyIndex('customStandardsAndCustomStateRuleSetsArr'), variables('regulatoryComplianceControlStatesLength'))],json('null'))]",
                              "operator": "Equals"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "sourceRuleSets": "[if(and(variables('doesAllStandardsSelected'),variables('doesAllStatesSelected')),variables('allRegulatoryComplianceRuleSets'),if(and(not(variables('doesAllStandardsSelected')),not(variables('doesAllStatesSelected'))),variables('customStandardsAndCustomStateRuleSets').customStandardsAndCustomStateRuleSetsArr,variables('customStandardsOrCustomStateRuleSets').customStandardsOrCustomStateRuleSetsArr))]"
                },
                "resources": [
                  {
                    "condition": "[parameters('createResourceGroup')]",
                    "name": "[parameters('resourceGroupName')]",
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2019-10-01",
                    "location": "[parameters('resourceGroupLocation')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                    "name": "[concat('nestedAutomationDeployment', '_', parameters('guidValue'))]",
                    "resourceGroup": "[parameters('resourceGroupName')]",
                    "dependsOn": [
                      "[resourceId('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "tags": {},
                            "apiVersion": "2019-01-01-preview",
                            "location": "[parameters('resourceGroupLocation')]",
                            "name": "[parameters('automationName')]",
                            "type": "Microsoft.Security/automations",
                            "dependsOn": [],
                            "properties": {
                              "description": "Workflow Automation for Azure Security Center recommendations via policy",
                              "isEnabled": true,
                              "scopes": [
                                {
                                  "description": "[replace(variables('scopeDescription'),'{0}', subscription().subscriptionId)]",
                                  "scopePath": "[subscription().id]"
                                }
                              ],
                              "sources": [
                                {
                                  "eventSource": "RegulatoryComplianceAssessment",
                                  "ruleSets": "[variables('sourceRuleSets')]"
                                }
                              ],
                              "actions": [
                                {
                                  "actionType": "LogicApp",
                                  "logicAppResourceId": "[parameters('logicAppResourceId')]",
                                  "uri": "[listCallbackUrl(concat(parameters('logicAppResourceId'), '/triggers/', variables('triggerMap')[parameters('logicAppTrigger')]),'2016-06-01').value]"
                                }
                              ]
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "automationName": {
                  "value": "[parameters('automationName')]"
                },
                "resourceGroupName": {
                  "value": "[parameters('resourceGroupName')]"
                },
                "resourceGroupLocation": {
                  "value": "[parameters('resourceGroupLocation')]"
                },
                "createResourceGroup": {
                  "value": "[parameters('createResourceGroup')]"
                },
                "regulatoryComplianceStandards": {
                  "value": "[parameters('regulatoryComplianceStandards')]"
                },
                "regulatoryComplianceControlStates": {
                  "value": "[parameters('regulatoryComplianceControlStates')]"
                },
                "logicAppResourceId": {
                  "value": "[parameters('logicAppResourceId')]"
                },
                "logicAppTrigger": {
                  "value": "[parameters('logicAppTrigger')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/509122b9-ddd9-47ba-a5f1-d0dac20be63c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "509122b9-ddd9-47ba-a5f1-d0dac20be63c"
}
BuiltIn Security Center False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deploys NSG flow logs and traffic analytics",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploys NSG flow logs and traffic analytics to a storageaccountid with a specfied retention period.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4979325Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "retention": {
        "type": "Integer",
        "metadata": {
          "displayName": "Retention"
        },
        "defaultValue": 5
      },
      "storageAccountResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Storage Account Resource Id",
          "strongType": "Microsoft.Storage/storageAccounts"
        }
      },
      "trafficAnalyticsInterval": {
        "type": "Integer",
        "metadata": {
          "displayName": "Traffic Analytics processing interval mins (10/60)"
        },
        "defaultValue": 60
      },
      "flowAnalyticsEnabled": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Enable Traffic Analytics"
        },
        "defaultValue": false
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "strongType": "omsWorkspace",
          "displayName": "Resource ID of Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
        },
        "defaultValue": ""
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/networkSecurityGroups"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/networkWatchers/flowLogs",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "resourceGroupName": "NetworkWatcherRG",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Network/networkWatchers/flowLogs/enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled",
                "equals": "[parameters('flowAnalyticsEnabled')]"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "networkSecurityGroupName": {
                  "value": "[field('name')]"
                },
                "resourceGroupName": {
                  "value": "[resourceGroup().name]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "storageAccountResourceId": {
                  "value": "[parameters('storageAccountResourceId')]"
                },
                "retention": {
                  "value": "[parameters('retention')]"
                },
                "flowAnalyticsEnabled": {
                  "value": "[parameters('flowAnalyticsEnabled')]"
                },
                "trafficAnalyticsInterval": {
                  "value": "[parameters('trafficAnalyticsInterval')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "networkSecurityGroupName": {
                    "type": "string"
                  },
                  "resourceGroupName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "storageAccountResourceId": {
                    "type": "string"
                  },
                  "retention": {
                    "type": "int"
                  },
                  "flowAnalyticsEnabled": {
                    "type": "bool"
                  },
                  "trafficAnalyticsInterval": {
                    "type": "int"
                  },
                  "logAnalytics": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Network/networkWatchers/flowLogs",
                    "apiVersion": "2020-05-01",
                    "name": "[take(concat('NetworkWatcher_', toLower(parameters('location')),  '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "targetResourceId": "[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]",
                      "storageId": "[parameters('storageAccountResourceId')]",
                      "enabled": true,
                      "retentionPolicy": {
                        "enabled": true,
                        "days": "[parameters('retention')]"
                      },
                      "format": {
                        "type": "JSON",
                        "version": 2
                      },
                      "flowAnalyticsConfiguration": {
                        "networkWatcherFlowAnalyticsConfiguration": {
                          "enabled": "[bool(parameters('flowAnalyticsEnabled'))]",
                          "trafficAnalyticsInterval": "[parameters('trafficAnalyticsInterval')]",
                          "workspaceId": "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]",
                          "workspaceRegion": "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]",
                          "workspaceResourceId": "[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]"
                        }
                      }
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Nsg-FlowLogs"
}
Custom Monitoring False False Mg ESJH (ESJH) DeployIfNotExists false 0 n/a false 0 n/a 'Monitoring Contributor' (749f88d5-cbae-40b8-bcfc-e573ddc772fa), 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Deploys virtual network peering to hub",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy deploys virtual network and peer to the hub",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4791767Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "vNetName": {
        "type": "String",
        "metadata": {
          "displayName": "vNetName",
          "description": "Name of the landing zone vNet"
        }
      },
      "vNetRgName": {
        "type": "String",
        "metadata": {
          "displayName": "vNetRgName",
          "description": "Name of the landing zone vNet RG"
        }
      },
      "vNetLocation": {
        "type": "String",
        "metadata": {
          "displayName": "vNetLocation",
          "description": "Location for the vNet"
        }
      },
      "vNetCidrRange": {
        "type": "String",
        "metadata": {
          "displayName": "vNetCidrRange",
          "description": "CIDR Range for the vNet"
        }
      },
      "hubResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "hubResourceId",
          "description": "Resource ID for the HUB vNet"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Network/virtualNetworks",
          "name": "[parameters('vNetName')]",
          "deploymentScope": "Subscription",
          "existenceScope": "ResourceGroup",
          "ResourceGroupName": "[parameters('vNetRgName')]",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "name",
                "like": "[parameters('vNetName')]"
              },
              {
                "field": "location",
                "equals": "[parameters('vNetLocation')]"
              }
            ]
          },
          "deployment": {
            "location": "northeurope",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vNetRgName": {
                  "value": "[parameters('vNetRgName')]"
                },
                "vNetName": {
                  "value": "[parameters('vNetName')]"
                },
                "vNetLocation": {
                  "value": "[parameters('vNetLocation')]"
                },
                "vNetCidrRange": {
                  "value": "[parameters('vNetCidrRange')]"
                },
                "hubResourceId": {
                  "value": "[parameters('hubResourceId')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vNetRgName": {
                    "type": "string"
                  },
                  "vNetName": {
                    "type": "string"
                  },
                  "vNetLocation": {
                    "type": "string"
                  },
                  "vNetCidrRange": {
                    "type": "string"
                  },
                  "vNetPeerUseRemoteGateway": {
                    "type": "bool",
                    "defaultValue": false
                  },
                  "hubResourceId": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2020-06-01",
                    "name": "[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]",
                    "location": "[parameters('vNetLocation')]",
                    "dependsOn": [],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "type": "Microsoft.Resources/resourceGroups",
                            "apiVersion": "2020-06-01",
                            "name": "[parameters('vNetRgName')]",
                            "location": "[parameters('vNetLocation')]",
                            "properties": {}
                          },
                          {
                            "type": "Microsoft.Resources/resourceGroups",
                            "apiVersion": "2020-06-01",
                            "name": "NetworkWatcherRG",
                            "location": "[parameters('vNetLocation')]",
                            "properties": {}
                          }
                        ],
                        "outputs": {}
                      }
                    }
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2020-06-01",
                    "name": "[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6))]",
                    "dependsOn": [
                      "[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {},
                        "variables": {},
                        "resources": [
                          {
                            "type": "Microsoft.Network/virtualNetworks",
                            "apiVersion": "2020-06-01",
                            "name": "[parameters('vNetName')]",
                            "location": "[parameters('vNetLocation')]",
                            "dependsOn": [],
                            "properties": {
                              "addressSpace": {
                                "addressPrefixes": [
                                  "[parameters('vNetCidrRange')]"
                                ]
                              }
                            }
                          },
                          {
                            "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
                            "apiVersion": "2020-05-01",
                            "name": "[concat(parameters('vNetName'), '/peerToHub')]",
                            "dependsOn": [
                              "[parameters('vNetName')]"
                            ],
                            "properties": {
                              "remoteVirtualNetwork": {
                                "id": "[parameters('hubResourceId')]"
                              },
                              "allowVirtualNetworkAccess": true,
                              "allowForwardedTraffic": true,
                              "allowGatewayTransit": false,
                              "useRemoteGateways": "[parameters('vNetPeerUseRemoteGateway')]"
                            }
                          },
                          {
                            "type": "Microsoft.Resources/deployments",
                            "apiVersion": "2020-06-01",
                            "name": "[concat('es-lz-hub-',substring(uniqueString(subscription().id),0,6),'-peering')]",
                            "subscriptionId": "[split(parameters('hubResourceId'),'/')[2]]",
                            "resourceGroup": "[split(parameters('hubResourceId'),'/')[4]]",
                            "dependsOn": [
                              "[parameters('vNetName')]"
                            ],
                            "properties": {
                              "mode": "Incremental",
                              "expressionEvaluationOptions": {
                                "scope": "inner"
                              },
                              "template": {
                                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                                "contentVersion": "1.0.0.0",
                                "parameters": {
                                  "remoteVirtualNetwork": {
                                    "Type": "string",
                                    "defaultValue": false
                                  },
                                  "hubName": {
                                    "Type": "string",
                                    "defaultValue": false
                                  }
                                },
                                "variables": {},
                                "resources": [
                                  {
                                    "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
                                    "name": "[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]",
                                    "apiVersion": "2020-05-01",
                                    "properties": {
                                      "allowVirtualNetworkAccess": true,
                                      "allowForwardedTraffic": true,
                                      "allowGatewayTransit": true,
                                      "useRemoteGateways": false,
                                      "remoteVirtualNetwork": {
                                        "id": "[[parameters('remoteVirtualNetwork')]"
                                      }
                                    }
                                  }
                                ],
                                "outputs": {}
                              },
                              "parameters": {
                                "remoteVirtualNetwork": {
                                  "value": "[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]"
                                },
                                "hubName": {
                                  "value": "[split(parameters('hubResourceId'),'/')[8]]"
                                }
                              }
                            }
                          }
                        ],
                        "outputs": {}
                      }
                    },
                    "resourceGroup": "[parameters('vNetRgName')]"
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-VNET-HubSpoke"
}
Custom Network False False Mg ESJH (ESJH) n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Deprecated accounts should be removed from your subscription",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Deprecated accounts should be removed from your subscriptions.  Deprecated accounts are accounts that have been blocked from signing in.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "00c6d40b-e990-6acf-d4f3-471e747a27c4",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6b1cbf55-e8b6-442f-ba4c-7246b6381474"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 18 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Deprecated accounts with owner permissions should be removed from your subscription",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Deprecated accounts with owner permissions should be removed from your subscription.  Deprecated accounts are accounts that have been blocked from signing in.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "e52064aa-6853-e252-a11e-dffc675689c2",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ebb62a0c-3560-49e1-89ed-27e074e9f8ad"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 19 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Diagnostic logs in App Services should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised",
    "metadata": {
      "version": "2.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "notContains": "functionapp"
          },
          {
            "field": "kind",
            "notContains": "linux"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Web/sites/config/detailedErrorLoggingEnabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Web/sites/config/httpLoggingEnabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Web/sites/config/requestTracingEnabled",
                "equals": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 11 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Disconnections should be logged for PostgreSQL database servers.",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforPostgreSQL/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforPostgreSQL/servers/configurations",
          "name": "log_disconnections",
          "existenceCondition": {
            "field": "Microsoft.DBforPostgreSQL/servers/configurations/value",
            "equals": "ON"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "eb6f77b9-bd53-4e35-a23d-7f65d5f0e446"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 2 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c) n/a
{
  "properties": {
    "displayName": "Disk access resources should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. ",
    "metadata": {
      "version": "1.0.0",
      "category": "Compute"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/diskAccesses"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/diskAccesses/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Compute/diskAccesses/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f39f5f49-4abf-44de-8c70-0756997bfb51",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f39f5f49-4abf-44de-8c70-0756997bfb51"
}
BuiltIn Compute False False n/a n/a AuditIfNotExists false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Disk encryption should be enabled on Azure Data Explorer",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.",
    "metadata": {
      "version": "2.0.0",
      "category": "Azure Data Explorer"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Kusto/Clusters"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Kusto/clusters/enableDiskEncryption",
                "exists": false
              },
              {
                "field": "Microsoft.Kusto/clusters/enableDiskEncryption",
                "equals": false
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f4b53539-8df9-40e4-86c6-6b607703bd4e"
}
BuiltIn Azure Data Explorer False False n/a n/a Audit false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Double encryption should be enabled on Azure Data Explorer",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys.",
    "metadata": {
      "version": "2.0.0",
      "category": "Azure Data Explorer"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Kusto/Clusters"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Kusto/clusters/enableDoubleEncryption",
                "exists": false
              },
              {
                "field": "Microsoft.Kusto/clusters/enableDoubleEncryption",
                "equals": false
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ec068d99-e9c7-401f-8cef-5bdde4e6ccf1"
}
BuiltIn Azure Data Explorer False False n/a n/a Audit false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Email notification for high severity alerts should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.",
    "metadata": {
      "version": "1.0.1",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/securityContacts",
          "existenceCondition": {
            "field": "Microsoft.Security/securityContacts/alertNotifications",
            "notEquals": "Off"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6e2593d9-add6-4083-9c9b-4b7d2188c899"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 9 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Email notification to subscription owner for high severity alerts should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.",
    "metadata": {
      "version": "2.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/securityContacts",
          "existenceScope": "subscription",
          "existenceCondition": {
            "not": {
              "allOf": [
                {
                  "field": "Microsoft.Security/securityContacts/alertsToAdmins",
                  "equals": "Off"
                },
                {
                  "field": "Microsoft.Security/securityContacts/alertNotifications.minimalSeverity",
                  "equals": "High"
                }
              ]
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0b15565f-aa9e-48ba-8619-45960f2c314d"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Enable Azure Security Center on your subscription",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Identifies existing subscriptions that are not monitored by Azure Security Center (ASC).\r\nSubscriptions not monitored by ASC will be registered to the free pricing tier.\r\nSubscriptions already monitored by ASC (free or standard), will be considered compliant.\r\nTo register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment and create a remediation task.\r\nRepeat this step when you have one or more new subscriptions you want to monitor with Security Center.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Security/pricings",
          "name": "VirtualMachines",
          "deploymentScope": "subscription",
          "existenceScope": "subscription",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
          ],
          "existenceCondition": {
            "anyof": [
              {
                "field": "microsoft.security/pricings/pricingTier",
                "equals": "standard"
              },
              {
                "field": "microsoft.security/pricings/pricingTier",
                "equals": "free"
              }
            ]
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Security/pricings",
                    "apiVersion": "2018-06-01",
                    "name": "VirtualMachines",
                    "properties": {
                      "pricingTier": "free"
                    }
                  }
                ],
                "outputs": {}
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ac076320-ddcf-4066-b451-6154267e8ad2"
}
BuiltIn Security Center False False n/a n/a n/a false 0 n/a false 0 n/a 'Security Admin' (fb1c8493-542b-48eb-b624-b4c8fea62acd)
{
  "properties": {
    "displayName": "Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace.",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace.",
          "strongType": "omsWorkspace"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/autoProvisioningSettings",
          "deploymentScope": "Subscription",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "existenceCondition": {
            "field": "Microsoft.Security/autoProvisioningSettings/autoProvision",
            "equals": "On"
          },
          "deployment": {
            "location": "westus",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "logAnalytics": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Security/autoProvisioningSettings",
                    "name": "default",
                    "apiVersion": "2017-08-01-preview",
                    "properties": {
                      "autoProvision": "On"
                    }
                  },
                  {
                    "type": "Microsoft.Security/workspaceSettings",
                    "apiVersion": "2017-08-01-preview",
                    "name": "default",
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "scope": "[subscription().id]"
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8e7da0a5-0a0e-4bbc-bfc0-7773c018b616",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8e7da0a5-0a0e-4bbc-bfc0-7773c018b616"
}
BuiltIn Security Center False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace.",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/autoProvisioningSettings",
          "deploymentScope": "Subscription",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "existenceCondition": {
            "field": "Microsoft.Security/autoProvisioningSettings/autoProvision",
            "equals": "On"
          },
          "deployment": {
            "location": "westus",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {},
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Security/autoProvisioningSettings",
                    "name": "default",
                    "apiVersion": "2017-08-01-preview",
                    "properties": {
                      "autoProvision": "On"
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6df2fee6-a9ed-4fef-bced-e13be1b25f1c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6df2fee6-a9ed-4fef-bced-e13be1b25f1c"
}
BuiltIn Security Center False False n/a n/a DeployIfNotExists false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Endpoint protection solution should be installed on virtual machine scale sets",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachineScaleSets"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "e71020c2-860c-3235-cd39-04f3f8c936d2",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "26a828e1-e88f-464e-bbb3-c134a282b9de"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 17 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Enforce SSL connection should be enabled for MySQL database servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
    "metadata": {
      "version": "1.0.1",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforMySQL/servers"
          },
          {
            "field": "Microsoft.DBforMySQL/servers/sslEnforcement",
            "exists": "true"
          },
          {
            "field": "Microsoft.DBforMySQL/servers/sslEnforcement",
            "notEquals": "Enabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e802a67a-daf5-4436-9ea6-f6d821dd0c5d"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a true 11 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Enforce SSL connection should be enabled for PostgreSQL database servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
    "metadata": {
      "version": "1.0.1",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforPostgreSQL/servers"
          },
          {
            "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement",
            "exists": "true"
          },
          {
            "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement",
            "notEquals": "Enabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d158790f-bfb0-486c-8631-2dc6b4e8e6af"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a true 11 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          },
          {
            "field": "Microsoft.Web/sites/clientCertEnabled",
            "equals": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0c192fe8-9cbb-4516-85b3-0ade8bd03886"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Ensure that 'HTTP Version' is the latest, if used to run the API app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.",
    "metadata": {
      "version": "2.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          },
          {
            "field": "kind",
            "contains": "linux"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.http20Enabled",
            "equals": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "991310cd-e9f3-47bc-b7b6-f57b557d07db"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 9 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Ensure that 'HTTP Version' is the latest, if used to run the Function app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.",
    "metadata": {
      "version": "2.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "functionapp*"
          },
          {
            "field": "kind",
            "contains": "linux"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.http20Enabled",
            "equals": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e2c1c086-2d84-4019-bff3-c44ccd95113c"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 9 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Ensure that 'HTTP Version' is the latest, if used to run the Web app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.",
    "metadata": {
      "version": "2.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          },
          {
            "field": "kind",
            "contains": "linux"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.http20Enabled",
            "Equals": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8c122334-9d20-4eb8-89ea-ac9a705b74ae"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 9 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Ensure that 'Java version' is the latest, if used as a part of the API app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
    "metadata": {
      "version": "2.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "JavaLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest Java version",
          "description": "Latest supported Java version for App Services"
        },
        "defaultValue": "11"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          },
          {
            "field": "kind",
            "contains": "linux"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "anyOf": [
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "notContains": "JAVA"
              },
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "like": "[concat('*', parameters('JavaLatestVersion'))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "88999f4c-376a-45c8-bcb3-4058f713cf39"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 13 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Ensure that 'Java version' is the latest, if used as a part of the Function app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
    "metadata": {
      "version": "2.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "JavaLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest Java version",
          "description": "Latest supported Java version for App Services"
        },
        "defaultValue": "11"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "functionapp*"
          },
          {
            "field": "kind",
            "contains": "linux"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "anyOf": [
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "notContains": "JAVA"
              },
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "like": "[concat('*', parameters('JavaLatestVersion'))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 13 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Ensure that 'Java version' is the latest, if used as a part of the Web app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
    "metadata": {
      "version": "2.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "JavaLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest Java version",
          "description": "Latest supported Java version for App Services"
        },
        "defaultValue": "11"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          },
          {
            "field": "kind",
            "contains": "linux"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "anyOf": [
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "notContains": "JAVA"
              },
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "like": "[concat('*', parameters('JavaLatestVersion'))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "496223c3-ad65-4ecd-878a-bae78737e9ed"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 13 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Ensure that 'PHP version' is the latest, if used as a part of the API app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
    "metadata": {
      "version": "2.1.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "PHPLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest PHP version",
          "description": "Latest supported PHP version for App Services"
        },
        "defaultValue": "7.4"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          },
          {
            "field": "kind",
            "contains": "linux"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "anyOf": [
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "notContains": "PHP"
              },
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "equals": "[concat('PHP|', parameters('PHPLatestVersion'))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 13 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Ensure that 'PHP version' is the latest, if used as a part of the WEB app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
    "metadata": {
      "version": "2.1.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "PHPLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest PHP version",
          "description": "Latest supported PHP version for App Services"
        },
        "defaultValue": "7.4"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          },
          {
            "field": "kind",
            "contains": "linux"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "anyOf": [
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "notContains": "PHP"
              },
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "equals": "[concat('PHP|', parameters('PHPLatestVersion'))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7261b898-8a84-4db8-9e04-18527132abb3"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 13 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Ensure that 'Python version' is the latest, if used as a part of the API app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
    "metadata": {
      "version": "3.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "WindowsPythonLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Latest Windows Python version",
          "description": "Latest supported Python version for App Services",
          "deprecated": true
        },
        "defaultValue": "3.6"
      },
      "LinuxPythonLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Linux Latest Python version",
          "description": "Latest supported Python version for App Services"
        },
        "defaultValue": "3.9"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          },
          {
            "field": "kind",
            "contains": "linux"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "anyOf": [
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "notContains": "PYTHON"
              },
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "equals": "[concat('PYTHON|', parameters('LinuxPythonLatestVersion'))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "74c3584d-afae-46f7-a20a-6f8adba71a16"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 13 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Ensure that 'Python version' is the latest, if used as a part of the Function app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
    "metadata": {
      "version": "3.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "WindowsPythonLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Latest Windows Python version",
          "description": "Latest supported Python version for App Services",
          "deprecated": true
        },
        "defaultValue": "3.6"
      },
      "LinuxPythonLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Linux Latest Python version",
          "description": "Latest supported Python version for App Services"
        },
        "defaultValue": "3.9"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "functionapp*"
          },
          {
            "field": "kind",
            "contains": "linux"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "anyOf": [
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "notContains": "PYTHON"
              },
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "equals": "[concat('PYTHON|', parameters('LinuxPythonLatestVersion'))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7238174a-fd10-4ef0-817e-fc820a951d73"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 13 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Ensure that 'Python version' is the latest, if used as a part of the Web app",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
    "metadata": {
      "version": "3.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "WindowsPythonLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Latest Windows Python version",
          "description": "Latest supported Python version for App Services",
          "deprecated": true
        },
        "defaultValue": "3.6"
      },
      "LinuxPythonLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Linux Latest Python version",
          "description": "Latest supported Python version for App Services"
        },
        "defaultValue": "3.9"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          },
          {
            "field": "kind",
            "contains": "linux"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "anyOf": [
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "notContains": "PYTHON"
              },
              {
                "field": "Microsoft.Web/sites/config/web.linuxFxVersion",
                "equals": "[concat('PYTHON|', parameters('LinuxPythonLatestVersion'))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7008174a-fd10-4ef0-817e-fc820a951d73"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 13 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          },
          {
            "field": "Microsoft.Web/sites/clientCertEnabled",
            "equals": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5bb220d9-2698-4ee4-8404-b9c30c9df609"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Event Hub namespaces should have double encryption enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys.",
    "metadata": {
      "version": "1.0.0",
      "category": "Event Hub"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the audit policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.EventHub/namespaces"
          },
          {
            "field": "Microsoft.EventHub/namespaces/clusterArmId",
            "exists": "true"
          },
          {
            "field": "Microsoft.EventHub/namespaces/encryption.requireInfrastructureEncryption",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "836cd60e-87f3-4e6a-a27c-29d687f01a4c"
}
BuiltIn Event Hub False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Event Hub namespaces should use a customer-managed key for encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters.",
    "metadata": {
      "version": "1.0.0",
      "category": "Event Hub"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.EventHub/namespaces"
          },
          {
            "field": "Microsoft.EventHub/namespaces/clusterArmId",
            "exists": "true"
          },
          {
            "not": {
              "field": "Microsoft.EventHub/namespaces/encryption.keySource",
              "equals": "Microsoft.Keyvault"
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a1ad735a-e96f-45d2-a7b2-9a4932cab7ec"
}
BuiltIn Event Hub False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Event Hub namespaces should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service.",
    "metadata": {
      "version": "1.0.0",
      "category": "Event Hub"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.EventHub/namespaces"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.EventHub/namespaces/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.EventHub/namespaces/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b8564268-eb4a-4337-89be-a19db070c59d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b8564268-eb4a-4337-89be-a19db070c59d"
}
BuiltIn Event Hub False False n/a n/a AuditIfNotExists false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Event Hub should use a virtual network service endpoint",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any Event Hub not configured to use a virtual network service endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.EventHub/namespaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.EventHub/namespaces/virtualNetworkRules",
          "existenceCondition": {
            "field": "Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId",
            "exists": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d63edb4a-c612-454d-b47d-191a724fcbf0"
}
BuiltIn Network False False n/a n/a AuditIfNotExists false 0 n/a true 2 [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) n/a
{
  "properties": {
    "displayName": "External accounts with owner permissions should be removed from your subscription",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "c3b6ae71-f1f0-31b4-e6c1-d5951285d03d",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f8456c1c-aa66-4dfb-861a-25d127b775c9"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 22 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "External accounts with read permissions should be removed from your subscription",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5f76cf89-fbf2-47fd-a3f4-b891fa780b60"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 17 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "External accounts with write permissions should be removed from your subscription",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "04e7147b-0deb-9796-2e5c-0336343ceb3d",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5c607a2e-c700-4744-8254-d77e7c9eb5e4"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 20 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Flow logs should be configured for every network security group",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more.",
    "metadata": {
      "version": "1.1.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkSecurityGroups"
          },
          {
            "count": {
              "field": "Microsoft.Network/networkSecurityGroups/flowLogs[*]"
            },
            "equals": 0
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c251913d-7d24-4958-af87-478ed3b9ba41",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c251913d-7d24-4958-af87-478ed3b9ba41"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a true 2 Flow logs should be configured and enabled for every network security group (/providers/microsoft.authorization/policysetdefinitions/62329546-775b-4a3d-a4cb-eb4bb990d2c0), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "Flow logs should be enabled for every network security group",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkWatchers/flowLogs"
          },
          {
            "field": "Microsoft.Network/networkWatchers/flowLogs/enabled",
            "equals": false
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/27960feb-a23c-4577-8d36-ef8b5f35e0be",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "27960feb-a23c-4577-8d36-ef8b5f35e0be"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a true 1 Flow logs should be configured and enabled for every network security group (/providers/microsoft.authorization/policysetdefinitions/62329546-775b-4a3d-a4cb-eb4bb990d2c0) n/a
{
  "properties": {
    "displayName": "FTPS only should be required in your API App",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable FTPS enforcement for enhanced security",
    "metadata": {
      "version": "2.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/ftpsState",
            "in": [
              "FtpsOnly",
              "Disabled"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9a1b8c48-453a-4044-86c3-d8bfd823e4f5"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 9 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "FTPS only should be required in your Function App",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable FTPS enforcement for enhanced security",
    "metadata": {
      "version": "2.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "functionapp*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/ftpsState",
            "in": [
              "FtpsOnly",
              "Disabled"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "399b2637-a50f-4f95-96f8-3a145476eb15"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 9 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "FTPS should be required in your Web App",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable FTPS enforcement for enhanced security",
    "metadata": {
      "version": "2.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/ftpsState",
            "in": [
              "FtpsOnly",
              "Disabled"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 9 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Function App should only be accessible over HTTPS",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "functionapp*"
          },
          {
            "field": "Microsoft.Web/sites/httpsOnly",
            "equals": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a true 19 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Function apps should have 'Client Certificates (Incoming client certificates)' enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.",
    "metadata": {
      "version": "1.0.1",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "functionapp*"
          },
          {
            "field": "Microsoft.Web/sites/clientCertEnabled",
            "equals": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "eaebaea7-8013-4ceb-9d14-7eb32271373c"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Function apps should use an Azure file share for its content directory",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "The content directory of a function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "functionapp*"
          },
          {
            "field": "Microsoft.Web/sites/storageAccountRequired",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4d0bc837-6eff-477e-9ecd-33bf8d4212a5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4d0bc837-6eff-477e-9ecd-33bf8d4212a5"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Gateway subnets should not be configured with a network security group",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/virtualNetworks/subnets"
          },
          {
            "field": "name",
            "equals": "GatewaySubnet"
          },
          {
            "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
            "exists": "true"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "35f9c03a-cc27-418e-9c0c-539ff999d010"
}
BuiltIn Network False False n/a n/a n/a false 0 n/a true 1 HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) n/a
{
  "properties": {
    "displayName": "Geo-redundant backup should be enabled for Azure Database for MariaDB",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.",
    "metadata": {
      "version": "1.0.1",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforMariaDB/servers"
          },
          {
            "field": "Microsoft.DBforMariaDB/servers/storageProfile.geoRedundantBackup",
            "notEquals": "Enabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0ec47710-77ff-4a3d-9181-6aa50af424d0"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Geo-redundant backup should be enabled for Azure Database for MySQL",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.",
    "metadata": {
      "version": "1.0.1",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforMySQL/servers"
          },
          {
            "field": "Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup",
            "notEquals": "Enabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "82339799-d096-41ae-8538-b108becf0970"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Geo-redundant backup should be enabled for Azure Database for PostgreSQL",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.",
    "metadata": {
      "version": "1.0.1",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforPostgreSQL/servers"
          },
          {
            "field": "Microsoft.DBforPostgreSQL/servers/storageProfile.geoRedundantBackup",
            "notEquals": "Enabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "48af4db5-9b8b-401c-8e74-076be876a430"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Geo-redundant storage should be enabled for Storage Accounts",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use geo-redundancy to create highly available applications",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "not": {
              "field": "Microsoft.Storage/storageAccounts/sku.name",
              "in": [
                "Standard_GRS",
                "Standard_RAGRS",
                "Standard_GZRS",
                "Standard_RAGZRS"
              ]
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bf045164-79ba-4215-8f95-f8048dc1780b"
}
BuiltIn Storage False False n/a n/a Audit false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Guest Configuration extension should be installed on your machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.",
    "metadata": {
      "version": "1.0.1",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imagePublisher",
                "in": [
                  "esri",
                  "incredibuild",
                  "MicrosoftDynamicsAX",
                  "MicrosoftSharepoint",
                  "MicrosoftVisualStudio",
                  "MicrosoftWindowsDesktop",
                  "MicrosoftWindowsServerHPCPack",
                  "microsoft-aks",
                  "qubole-inc",
                  "datastax",
                  "couchbase",
                  "scalegrid",
                  "checkpoint",
                  "paloaltonetworks",
                  "debian"
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "2008*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "notLike": "SQL2008*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-dsvm"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "dsvm-windows"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "standard-data-science-vm",
                      "windows-data-science-vm"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "batch"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "rendering-windows2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "center-for-internet-security-inc"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "cis-windows-server-201*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "pivotal"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "bosh-windows-server*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloud-infrastructure-services"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "ad*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                        "exists": "true"
                      },
                      {
                        "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                        "like": "Windows*"
                      }
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "exists": "false"
                      },
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "notLike": "2008*"
                          },
                          {
                            "field": "Microsoft.Compute/imageOffer",
                            "notLike": "SQL2008*"
                          }
                        ]
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "OpenLogic"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "CentOS*"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Oracle"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Oracle-Linux"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "RHEL",
                      "RHEL-HA",
                      "RHEL-SAP",
                      "RHEL-SAP-APPS",
                      "RHEL-SAP-HA",
                      "RHEL-SAP-HANA"
                    ]
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "osa",
                      "rhel-byos"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "center-for-internet-security-inc"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "cis-centos-7-l1",
                      "cis-centos-7-v2-1-1-l1",
                      "cis-centos-8-l1",
                      "cis-debian-linux-8-l1",
                      "cis-debian-linux-9-l1",
                      "cis-nginx-centos-7-v1-1-0-l1",
                      "cis-oracle-linux-7-v2-0-0-l1",
                      "cis-oracle-linux-8-l1",
                      "cis-postgresql-11-centos-linux-7-level-1",
                      "cis-rhel-7-l2",
                      "cis-rhel-7-v2-2-0-l1",
                      "cis-rhel-8-l1",
                      "cis-suse-linux-12-v2-0-0-l1",
                      "cis-ubuntu-linux-1604-v1-0-0-l1",
                      "cis-ubuntu-linux-1804-l1"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "credativ"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Debian"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "7*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Suse"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "SLES*"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "11*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "12*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-dsvm"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "linux-data-science-vm-ubuntu",
                      "azureml"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-centos-os"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "6*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloudera"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "cloudera-altus-centos-os"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "linux*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                        "exists": "true"
                      },
                      {
                        "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                        "like": "Linux*"
                      }
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "exists": "false"
                      },
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "notIn": [
                          "OpenLogic",
                          "RedHat",
                          "credativ",
                          "Suse",
                          "Canonical",
                          "microsoft-dsvm",
                          "cloudera",
                          "microsoft-ads",
                          "center-for-internet-security-inc",
                          "Oracle"
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.GuestConfiguration"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ae89ebca-1c92-4898-ac2c-9f63decb045c"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "HPC Cache accounts should use customer-managed key for encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Manage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.",
    "metadata": {
      "version": "2.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.StorageCache/caches"
          },
          {
            "anyOf": [
              {
                "field": "identity.type",
                "exists": false
              },
              {
                "field": "Microsoft.StorageCache/caches/encryptionSettings.keyEncryptionKey.keyUrl",
                "exists": false
              },
              {
                "field": "Microsoft.StorageCache/caches/encryptionSettings.keyEncryptionKey.sourceVault.Id",
                "exists": false
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/970f84d8-71b6-4091-9979-ace7e3fb6dbb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "970f84d8-71b6-4091-9979-ace7e3fb6dbb"
}
BuiltIn Storage False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Infrastructure encryption should be enabled for Azure Database for MySQL servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforMySQL/servers"
          },
          {
            "field": "Microsoft.DBforMySQL/servers/infrastructureEncryption",
            "notEquals": "Enabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3a58212a-c829-4f13-9872-6371df2fd0b4"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforPostgreSQL/servers"
          },
          {
            "field": "Microsoft.DBforPostgreSQL/servers/infrastructureEncryption",
            "notEquals": "Enabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/24fba194-95d6-48c0-aea7-f65bf859c598",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "24fba194-95d6-48c0-aea7-f65bf859c598"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Inherit a tag from the resource group",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.",
    "metadata": {
      "version": "1.0.0",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "notEquals": "[resourceGroup().tags[parameters('tagName')]]"
          },
          {
            "value": "[resourceGroup().tags[parameters('tagName')]]",
            "notEquals": ""
          }
        ]
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "[concat('tags[', parameters('tagName'), ']')]",
              "value": "[resourceGroup().tags[parameters('tagName')]]"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "cd3aa116-8754-49c9-a813-ad46512ece54"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Inherit a tag from the resource group if missing",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed.",
    "metadata": {
      "version": "1.0.0",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
          },
          {
            "value": "[resourceGroup().tags[parameters('tagName')]]",
            "notEquals": ""
          }
        ]
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "add",
              "field": "[concat('tags[', parameters('tagName'), ']')]",
              "value": "[resourceGroup().tags[parameters('tagName')]]"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ea3f2387-9b95-492a-a190-fcdc54f7b070"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Inherit a tag from the subscription",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.",
    "metadata": {
      "category": "Tags",
      "version": "1.0.0"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "notEquals": "[subscription().tags[parameters('tagName')]]"
          },
          {
            "value": "[subscription().tags[parameters('tagName')]]",
            "notEquals": ""
          }
        ]
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "[concat('tags[', parameters('tagName'), ']')]",
              "value": "[subscription().tags[parameters('tagName')]]"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b27a0cbd-a167-4dfa-ae64-4337be671140",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b27a0cbd-a167-4dfa-ae64-4337be671140"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Inherit a tag from the subscription if missing",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed.",
    "metadata": {
      "category": "Tags",
      "version": "1.0.0"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
          },
          {
            "value": "[subscription().tags[parameters('tagName')]]",
            "notEquals": ""
          }
        ]
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "add",
              "field": "[concat('tags[', parameters('tagName'), ']')]",
              "value": "[subscription().tags[parameters('tagName')]]"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/40df99da-1232-49b1-a39a-6da8d878f469",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "40df99da-1232-49b1-a39a-6da8d878f469"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Internet-facing virtual machines should be protected with network security groups",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "483f12ed-ae23-447e-a2de-a67a10db4353",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f6de0be7-9a8a-4b8a-b349-43cf02d22f7c"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 13 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "IoT Hub device provisioning service instances should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that IoT Hub device provisioning service instance isn't exposed on the public internet. Creating private endpoints can limit exposure of the IoT Hub device provisioning instances. Learn more at: https://aka.ms/iotdpsvnet.",
    "metadata": {
      "version": "1.0.0",
      "category": "Internet of Things"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Devices/provisioningServices"
          },
          {
            "field": "Microsoft.Devices/provisioningServices/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d82101f3-f3ce-4fc5-8708-4c09f4009546",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d82101f3-f3ce-4fc5-8708-4c09f4009546"
}
BuiltIn Internet of Things False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "IoT Hub device provisioning service instances should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet.",
    "metadata": {
      "version": "1.0.0",
      "category": "Internet of Things"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Devices/provisioningServices"
          },
          {
            "count": {
              "field": "Microsoft.Devices/provisioningServices/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.Devices/provisioningServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/df39c015-56a4-45de-b4a3-efe77bed320d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "df39c015-56a4-45de-b4a3-efe77bed320d"
}
BuiltIn Internet of Things False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "IP firewall rules on Azure Synapse workspaces should be removed",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Removing all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace.",
    "metadata": {
      "version": "1.0.0",
      "category": "Synapse"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Synapse/workspaces/firewallrules"
          },
          {
            "field": "name",
            "exists": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "56fd377d-098c-4f02-8406-81eb055902b8"
}
BuiltIn Synapse False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "IP Forwarding on your virtual machine should be disabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "c3b51c94-588b-426b-a892-24696f9e54cc",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bd352bd5-2853-4985-bf0d-73806b4a5744"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 9 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Key Vault should use a virtual network service endpoint",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any Key Vault not configured to use a virtual network service endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
                "notEquals": "Deny"
              },
              {
                "field": "Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id",
                "exists": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ea4d6841-2173-4317-9747-ff522a45120f"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a true 2 [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) n/a
{
  "properties": {
    "displayName": "Key vaults should have purge protection enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.",
    "metadata": {
      "version": "2.0.0",
      "category": "Key Vault"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "not": {
              "field": "Microsoft.KeyVault/vaults/createMode",
              "equals": "recover"
            }
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.KeyVault/vaults/enableSoftDelete",
                "exists": "false"
              },
              {
                "field": "Microsoft.KeyVault/vaults/enablePurgeProtection",
                "exists": "false"
              },
              {
                "field": "Microsoft.KeyVault/vaults/enableSoftDelete",
                "equals": "false"
              },
              {
                "field": "Microsoft.KeyVault/vaults/enablePurgeProtection",
                "equals": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"
}
BuiltIn Key Vault False False n/a n/a Audit false 0 n/a true 12 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Key vaults should have soft delete enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.",
    "metadata": {
      "version": "2.0.0",
      "category": "Key Vault"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "not": {
              "field": "Microsoft.KeyVault/vaults/createMode",
              "equals": "recover"
            }
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.KeyVault/vaults/enableSoftDelete",
                "exists": "false"
              },
              {
                "field": "Microsoft.KeyVault/vaults/enableSoftDelete",
                "equals": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d"
}
BuiltIn Key Vault False False n/a n/a Audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "KeyVault SoftDelete should be enabled",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.",
    "metadata": {
      "version": "1.0.0",
      "category": "Key Vault",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.492565Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.KeyVault/vaults"
              },
              {
                "field": "Microsoft.KeyVault/vaults/enableSoftDelete",
                "notEquals": false
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "append",
        "details": [
          {
            "field": "Microsoft.KeyVault/vaults/enableSoftDelete",
            "value": true
          }
        ]
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Append-KV-SoftDelete"
}
Custom Key Vault False False Mg ESJH (ESJH) n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "6.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "deny"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "cpuLimit": {
        "type": "String",
        "metadata": {
          "displayName": "Max allowed CPU units",
          "description": "The maximum CPU units allowed for a container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"
        }
      },
      "memoryLimit": {
        "type": "String",
        "metadata": {
          "displayName": "Max allowed memory bytes",
          "description": "The maximum memory bytes allowed for a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/container-resource-limits/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/container-resource-limits/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "cpuLimit": "[parameters('cpuLimit')]",
            "memoryLimit": "[parameters('memoryLimit')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e345eecc-fa47-480f-9e88-67dcc122b164"
}
BuiltIn Kubernetes False False n/a n/a deny false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Kubernetes cluster containers should not share host process ID or host IPC namespace",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "3.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/block-host-namespace/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/block-host-namespace/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]"
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8"
}
BuiltIn Kubernetes False False n/a n/a audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), Kubernetes cluster pod security restricted standards for Linux-based workloads (/providers/microsoft.authorization/policysetdefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00), Kubernetes cluster pod security baseline standards for Linux-based workloads (/providers/microsoft.authorization/policysetdefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Kubernetes cluster containers should not use forbidden sysctl interfaces",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "4.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "forbiddenSysctls": {
        "type": "Array",
        "metadata": {
          "displayName": "Forbidden sysctls",
          "description": "The list of plain sysctl names or sysctl patterns which end with *. The string * matches all sysctls. For more information, visit https://aka.ms/k8s-policy-sysctl-interfaces."
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/forbidden-sysctl-interfaces/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/forbidden-sysctl-interfaces/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "forbiddenSysctls": "[parameters('forbiddenSysctls')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/56d0a13f-712f-466b-8416-56fb354fb823",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "56d0a13f-712f-466b-8416-56fb354fb823"
}
BuiltIn Kubernetes False False n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Kubernetes cluster containers should only listen on allowed ports",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "6.1.1",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "deny"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "allowedContainerPortsList": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed container ports list",
          "description": "The list of container ports allowed in a Kubernetes cluster. Array only accepts strings. Example: [\"443\", \"80\"]"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/container-allowed-ports/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/container-allowed-ports/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "allowedContainerPorts": "[parameters('allowedContainerPortsList')]",
            "allowedPorts": "[parameters('allowedContainerPortsList')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "440b515e-a580-421e-abeb-b159a61ddcbc"
}
BuiltIn Kubernetes False False n/a n/a deny false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Kubernetes cluster containers should only use allowed AppArmor profiles",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "3.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "allowedProfiles": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed AppArmor profiles",
          "description": "The list of AppArmor profiles that containers are allowed to use. E.g. 'runtime/default;docker/default'. Provide empty list as input to block everything."
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/enforce-apparmor-profile/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/enforce-apparmor-profile/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "allowedProfiles": "[parameters('allowedProfiles')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "511f5417-5d12-434d-ab2e-816901e72a5e"
}
BuiltIn Kubernetes False False n/a n/a audit false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Kubernetes cluster containers should only use allowed capabilities",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "3.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "allowedCapabilities": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed capabilities",
          "description": "The list of capabilities that are allowed to be added to a container. Provide empty list as input to block everything."
        },
        "defaultValue": []
      },
      "requiredDropCapabilities": {
        "type": "Array",
        "metadata": {
          "displayName": "Required drop capabilities",
          "description": "The list of capabilities that must be dropped by a container."
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/container-allowed-capabilities/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/container-allowed-capabilities/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "allowedCapabilities": "[parameters('allowedCapabilities')]",
            "requiredDropCapabilities": "[parameters('requiredDropCapabilities')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c26596ff-4d70-4e6a-9a30-c2506bd2f80c"
}
BuiltIn Kubernetes False False n/a n/a audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), Kubernetes cluster pod security restricted standards for Linux-based workloads (/providers/microsoft.authorization/policysetdefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00), Kubernetes cluster pod security baseline standards for Linux-based workloads (/providers/microsoft.authorization/policysetdefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Kubernetes cluster containers should only use allowed images",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "7.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "deny"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "allowedContainerImagesRegex": {
        "type": "String",
        "metadata": {
          "displayName": "Allowed container images regex",
          "description": "The RegEx rule used to match allowed container images in a Kubernetes cluster. For example, to allow any Azure Container Registry image by matching partial path: ^.+azurecr.io/.+$"
        }
      },
      "excludedContainers": {
        "type": "Array",
        "metadata": {
          "displayName": "Containers exclusions",
          "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces."
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/container-allowed-images/v2/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/container-allowed-images/v2/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "imageRegex": "[parameters('allowedContainerImagesRegex')]",
            "excludedContainers": "[parameters('excludedContainers')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "febd0533-8e55-448f-b837-bd0e06f16469"
}
BuiltIn Kubernetes False False n/a n/a deny false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Kubernetes cluster containers should only use allowed ProcMountType",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "4.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "procMountType": {
        "type": "String",
        "metadata": {
          "displayName": "ProcMountType",
          "description": "The ProcMountType that containers are allowed to use in the cluster."
        },
        "allowedValues": [
          "Unmasked",
          "Default"
        ],
        "defaultValue": "Default"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/allowed-proc-mount-types/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/allowed-proc-mount-types/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "procMount": "[parameters('procMountType')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f85eb0dd-92ee-40e9-8a76-db25a507d6d3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f85eb0dd-92ee-40e9-8a76-db25a507d6d3"
}
BuiltIn Kubernetes False False n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Kubernetes cluster containers should only use allowed seccomp profiles",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "3.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "allowedProfiles": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed seccomp profiles",
          "description": "The list of seccomp profiles that containers are allowed to use. E.g. 'runtime/default;docker/default'. Provide empty list as input to block everything."
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "allowedProfiles": "[parameters('allowedProfiles')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/975ce327-682c-4f2e-aa46-b9598289b86c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "975ce327-682c-4f2e-aa46-b9598289b86c"
}
BuiltIn Kubernetes False False n/a n/a audit false 0 n/a true 1 Kubernetes cluster pod security restricted standards for Linux-based workloads (/providers/microsoft.authorization/policysetdefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00) n/a
{
  "properties": {
    "displayName": "Kubernetes cluster containers should run with a read only root file system",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "3.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/read-only-root-filesystem/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/read-only-root-filesystem/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]"
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "df49d893-a74c-421d-bc95-c663042e5b80"
}
BuiltIn Kubernetes False False n/a n/a audit false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Kubernetes cluster pod FlexVolume volumes should only use allowed drivers",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "3.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "allowedFlexVolumeDrivers": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed FlexVolume drivers",
          "description": "The list of drivers that FlexVolume volumes are allowed to use. Provide empty list as input to block everything."
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/flexvolume-drivers/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/flexvolume-drivers/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "allowedFlexVolumeDrivers": "[parameters('allowedFlexVolumeDrivers')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f4a8fce0-2dd5-4c21-9a36-8f0ec809d663",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f4a8fce0-2dd5-4c21-9a36-8f0ec809d663"
}
BuiltIn Kubernetes False False n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Kubernetes cluster pod hostPath volumes should only use allowed host paths",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "3.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "allowedHostPaths": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed host paths",
          "description": "The host paths allowed for pod hostPath volumes to use. Provide an empty paths list to block all host paths."
        },
        "defaultValue": {
          "paths": []
        },
        "schema": {
          "type": "object",
          "properties": {
            "paths": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "pathPrefix": {
                    "type": "string"
                  },
                  "readOnly": {
                    "type": "boolean"
                  }
                },
                "required": [
                  "pathPrefix",
                  "readOnly"
                ],
                "additionalProperties": false
              }
            }
          },
          "required": [
            "paths"
          ],
          "additionalProperties": false
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/allowed-host-paths/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/allowed-host-paths/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "allowedHostPaths": "[parameters('allowedHostPaths').paths]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "098fc59e-46c7-4d99-9b16-64990e543d75"
}
BuiltIn Kubernetes False False n/a n/a audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), Kubernetes cluster pod security baseline standards for Linux-based workloads (/providers/microsoft.authorization/policysetdefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Kubernetes cluster pods and containers should only run with approved user and group IDs",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "3.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "runAsUserRule": {
        "type": "String",
        "metadata": {
          "displayName": "Run as user rule",
          "description": "The 'RunAsUser' rule that containers are allowed to run with."
        },
        "allowedValues": [
          "MustRunAs",
          "MustRunAsNonRoot",
          "RunAsAny"
        ],
        "defaultValue": "MustRunAsNonRoot"
      },
      "runAsUserRanges": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed user ID ranges",
          "description": "The user ID ranges that are allowed for containers to use."
        },
        "defaultValue": {
          "ranges": []
        },
        "schema": {
          "type": "object",
          "properties": {
            "ranges": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "min": {
                    "type": "integer"
                  },
                  "max": {
                    "type": "integer"
                  }
                },
                "required": [
                  "min",
                  "max"
                ],
                "additionalProperties": false
              }
            }
          },
          "required": [
            "ranges"
          ],
          "additionalProperties": false
        }
      },
      "runAsGroupRule": {
        "type": "String",
        "metadata": {
          "displayName": "Run as group rule",
          "description": "The 'RunAsGroup' rule that containers are allowed to run with."
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "runAsGroupRanges": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed group ID ranges",
          "description": "The group ID ranges that are allowed for containers to use."
        },
        "defaultValue": {
          "ranges": []
        },
        "schema": {
          "type": "object",
          "properties": {
            "ranges": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "min": {
                    "type": "integer"
                  },
                  "max": {
                    "type": "integer"
                  }
                },
                "required": [
                  "min",
                  "max"
                ],
                "additionalProperties": false
              }
            }
          },
          "required": [
            "ranges"
          ],
          "additionalProperties": false
        }
      },
      "supplementalGroupsRule": {
        "type": "String",
        "metadata": {
          "displayName": "Supplemental group rule",
          "description": "The 'SupplementalGroups' rule that containers are allowed to run with."
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "supplementalGroupsRanges": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed supplemental group ID ranges",
          "description": "The supplemental group ID ranges that are allowed for containers to use."
        },
        "defaultValue": {
          "ranges": []
        },
        "schema": {
          "type": "object",
          "properties": {
            "ranges": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "min": {
                    "type": "integer"
                  },
                  "max": {
                    "type": "integer"
                  }
                },
                "required": [
                  "min",
                  "max"
                ],
                "additionalProperties": false
              }
            }
          },
          "required": [
            "ranges"
          ],
          "additionalProperties": false
        }
      },
      "fsGroupRule": {
        "type": "String",
        "metadata": {
          "displayName": "File system group rule",
          "description": "The 'FSGroup' rule that containers are allowed to run with."
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "fsGroupRanges": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed file system group ID ranges",
          "description": "The file system group ranges that are allowed for pods to use."
        },
        "defaultValue": {
          "ranges": []
        },
        "schema": {
          "type": "object",
          "properties": {
            "ranges": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "min": {
                    "type": "integer"
                  },
                  "max": {
                    "type": "integer"
                  }
                },
                "required": [
                  "min",
                  "max"
                ],
                "additionalProperties": false
              }
            }
          },
          "required": [
            "ranges"
          ],
          "additionalProperties": false
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/allowed-users-groups/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/allowed-users-groups/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "runAsUser": {
              "rule": "[parameters('runAsUserRule')]",
              "ranges": "[parameters('runAsUserRanges').ranges]"
            },
            "runAsGroup": {
              "rule": "[parameters('runAsGroupRule')]",
              "ranges": "[parameters('runAsGroupRanges').ranges]"
            },
            "supplementalGroups": {
              "rule": "[parameters('supplementalGroupsRule')]",
              "ranges": "[parameters('supplementalGroupsRanges').ranges]"
            },
            "fsGroup": {
              "rule": "[parameters('fsGroupRule')]",
              "ranges": "[parameters('fsGroupRanges').ranges]"
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f06ddb64-5fa3-4b77-b166-acb36f7f6042"
}
BuiltIn Kubernetes False False n/a n/a audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), Kubernetes cluster pod security restricted standards for Linux-based workloads (/providers/microsoft.authorization/policysetdefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Kubernetes cluster pods and containers should only use allowed SELinux options",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "4.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "allowedSELinuxOptions": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed SELinux options",
          "description": "The allowed configurations for pod and container level SELinux Options. Provide empty options list as input to block everything."
        },
        "defaultValue": {
          "options": []
        },
        "schema": {
          "type": "object",
          "properties": {
            "options": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "level": {
                    "type": "string"
                  },
                  "role": {
                    "type": "string"
                  },
                  "type": {
                    "type": "string"
                  },
                  "user": {
                    "type": "string"
                  }
                },
                "additionalProperties": false
              }
            }
          },
          "required": [
            "options"
          ],
          "additionalProperties": false
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/selinux/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/selinux/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "allowedSELinuxOptions": "[parameters('allowedSELinuxOptions').options]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e1e6c427-07d9-46ab-9689-bfa85431e636",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e1e6c427-07d9-46ab-9689-bfa85431e636"
}
BuiltIn Kubernetes False False n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Kubernetes cluster pods should only use allowed volume types",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "3.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "allowedVolumeTypes": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed volume types",
          "description": "The list of volume types that can be used by a pod. Provide empty list as input to block everything."
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/allowed-volume-types/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/allowed-volume-types/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "volumes": "[parameters('allowedVolumeTypes')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/16697877-1118-4fb1-9b65-9898ec2509ec",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "16697877-1118-4fb1-9b65-9898ec2509ec"
}
BuiltIn Kubernetes False False n/a n/a audit false 0 n/a true 1 Kubernetes cluster pod security restricted standards for Linux-based workloads (/providers/microsoft.authorization/policysetdefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00) n/a
{
  "properties": {
    "displayName": "Kubernetes cluster pods should only use approved host network and port range",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "3.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "allowHostNetwork": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Allow host network usage",
          "description": "Set this value to true if pod is allowed to use host network otherwise false."
        },
        "defaultValue": false
      },
      "minPort": {
        "type": "Integer",
        "metadata": {
          "displayName": "Min host port",
          "description": "The minimum value in the allowable host port range that pods can use in the host network namespace."
        },
        "defaultValue": 0
      },
      "maxPort": {
        "type": "Integer",
        "metadata": {
          "displayName": "Max host port",
          "description": "The maximum value in the allowable host port range that pods can use in the host network namespace."
        },
        "defaultValue": 0
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/host-network-ports/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/host-network-ports/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "allowHostNetwork": "[parameters('allowHostNetwork')]",
            "minPort": "[parameters('minPort')]",
            "maxPort": "[parameters('maxPort')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "82985f06-dc18-4a48-bc1c-b9f4f0098cfe"
}
BuiltIn Kubernetes False False n/a n/a audit false 0 n/a true 9 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), Kubernetes cluster pod security restricted standards for Linux-based workloads (/providers/microsoft.authorization/policysetdefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00), Kubernetes cluster pod security baseline standards for Linux-based workloads (/providers/microsoft.authorization/policysetdefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Kubernetes cluster pods should use specified labels",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "6.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "deny"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "labelsList": {
        "type": "Array",
        "metadata": {
          "displayName": "List of labels",
          "description": "The list of labels to be specified on Pods in a Kubernetes cluster."
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/pod-enforce-labels/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/pod-enforce-labels/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "labels": "[parameters('labelsList')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/46592696-4c7b-4bf3-9e45-6c2763bdc0a6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "46592696-4c7b-4bf3-9e45-6c2763bdc0a6"
}
BuiltIn Kubernetes False False n/a n/a deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Kubernetes cluster services should listen only on allowed ports",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "6.1.1",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "deny"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "allowedServicePortsList": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed service ports list",
          "description": "The list of service ports allowed in a Kubernetes cluster. Array only accepts strings. Example: [\"443\", \"80\"]"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/service-allowed-ports/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/service-allowed-ports/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "allowedServicePorts": "[parameters('allowedServicePortsList')]",
            "allowedPorts": "[parameters('allowedServicePortsList')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "233a2a17-77ca-4fb1-9b6b-69223d272a44"
}
BuiltIn Kubernetes False False n/a n/a deny false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Kubernetes cluster services should only use allowed external IPs",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "3.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation. Providing a value for this parameter is optional."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "allowedExternalIPs": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed External IPs",
          "description": "List of External IPs that services are allowed to use. Empty array means all external IPs are disallowed."
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/allowed-external-ips/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/allowed-external-ips/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "allowedExternalIPs": "[parameters('allowedExternalIPs')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d46c275d-1680-448d-b2ec-e495a3b6cc89",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d46c275d-1680-448d-b2ec-e495a3b6cc89"
}
BuiltIn Kubernetes False False n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Kubernetes cluster should not allow privileged containers",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "7.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "deny"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      },
      "excludedContainers": {
        "type": "Array",
        "metadata": {
          "displayName": "Containers exclusions",
          "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces."
        },
        "defaultValue": []
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/container-no-privilege/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/container-no-privilege/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]",
          "values": {
            "excludedContainers": "[parameters('excludedContainers')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "95edb821-ddaf-4404-9732-666045e056b4"
}
BuiltIn Kubernetes False False n/a n/a deny true 1 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-privileged-aks (Deny-Privileged-Containers-AKS) true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), Kubernetes cluster pod security restricted standards for Linux-based workloads (/providers/microsoft.authorization/policysetdefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00), Kubernetes cluster pod security baseline standards for Linux-based workloads (/providers/microsoft.authorization/policysetdefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Kubernetes clusters should be accessible only over HTTPS",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc",
    "metadata": {
      "version": "6.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "deny"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/ingress-https-only/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/ingress-https-only/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]"
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d"
}
BuiltIn Kubernetes False False n/a n/a deny true 1 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-aks-https (Enforce-Https-Ingress-AKS) true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Kubernetes clusters should not allow container privilege escalation",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "3.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/container-no-privilege-escalation/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/container-no-privilege-escalation/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]"
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1c6e92c9-99f0-4e55-9cf2-0c234dc48f99"
}
BuiltIn Kubernetes False False n/a n/a audit true 1 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-priv-esc-aks (Deny-Privileged-Escalations-AKS) true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), Kubernetes cluster pod security restricted standards for Linux-based workloads (/providers/microsoft.authorization/policysetdefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Kubernetes clusters should use internal load balancers",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "6.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "deny"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector",
          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
        "defaultValue": {},
        "schema": {
          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
          "type": "object",
          "properties": {
            "matchLabels": {
              "description": "matchLabels is a map of {key,value} pairs.",
              "type": "object",
              "additionalProperties": {
                "type": "string"
              },
              "minProperties": 1
            },
            "matchExpressions": {
              "description": "matchExpressions is a list of values, a key, and an operator.",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.",
                    "type": "string",
                    "enum": [
                      "In",
                      "NotIn",
                      "Exists",
                      "DoesNotExist"
                    ]
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "additionalProperties": false
              },
              "minItems": 1
            }
          },
          "additionalProperties": false
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/load-balancer-no-public-ips/v1/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/load-balancer-no-public-ips/v1/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "labelSelector": "[parameters('labelSelector')]"
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e"
}
BuiltIn Kubernetes False False n/a n/a deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+",
    "metadata": {
      "version": "1.0.2",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerService/managedClusters"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.ContainerService/managedClusters/kubernetesVersion",
                "in": [
                  "1.13.4",
                  "1.13.3",
                  "1.13.2",
                  "1.13.1",
                  "1.13.0"
                ]
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/kubernetesVersion",
                "in": [
                  "1.12.6",
                  "1.12.5",
                  "1.12.4",
                  "1.12.3",
                  "1.12.2",
                  "1.12.1",
                  "1.12.0"
                ]
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/kubernetesVersion",
                "in": [
                  "1.11.8",
                  "1.11.7",
                  "1.11.6",
                  "1.11.5",
                  "1.11.4",
                  "1.11.3",
                  "1.11.2",
                  "1.11.1",
                  "1.11.0"
                ]
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/kubernetesVersion",
                "Like": "1.10.*"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/kubernetesVersion",
                "Like": "1.9.*"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/kubernetesVersion",
                "Like": "1.8.*"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/kubernetesVersion",
                "Like": "1.7.*"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/kubernetesVersion",
                "Like": "1.6.*"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/kubernetesVersion",
                "Like": "1.5.*"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/kubernetesVersion",
                "Like": "1.4.*"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/kubernetesVersion",
                "Like": "1.3.*"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/kubernetesVersion",
                "Like": "1.2.*"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/kubernetesVersion",
                "Like": "1.1.*"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/kubernetesVersion",
                "Like": "1.0.*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "fb893a29-21bb-418c-a157-e99480ec364c"
}
BuiltIn Security Center False False n/a n/a Audit false 0 n/a true 9 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Latest TLS version should be used in your API App",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Upgrade to the latest TLS version",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/minTlsVersion",
            "equals": "1.2"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 15 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Latest TLS version should be used in your Function App",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Upgrade to the latest TLS version",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "functionapp*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/minTlsVersion",
            "equals": "1.2"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f9d614c5-c173-4d56-95a7-b4437057d193"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 15 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Latest TLS version should be used in your Web App",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Upgrade to the latest TLS version",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/minTlsVersion",
            "equals": "1.2"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 15 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Linux machines should only have local accounts that are allowed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "LocalUsers_Linux",
        "version": "1.*",
        "configurationParameter": {
          "Allowed": "[LocalUser]Accounts;Exclude"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "Allowed": {
        "type": "String",
        "metadata": {
          "displayName": "Allowed local accounts",
          "description": "List the name of accounts that should be excluded, seperated by a semicolon (';'). If these accounts exist and are enabled, they will be identified as Compliant."
        },
        "defaultValue": ""
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "LocalUsers_Linux",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[LocalUser]Accounts;Exclude', '=', parameters('Allowed')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/73db37c4-f180-4b0f-ab2c-8ee96467686b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "73db37c4-f180-4b0f-ab2c-8ee96467686b"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Log Analytics agent health issues should be resolved on your machines",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.ClassicCompute/virtualMachines",
          "Microsoft.Compute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "8e2b96ff-3de2-289b-b5c1-3b9921a3441e",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d62cfe2b-3ab0-4d41-980d-76803b58ca65"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "listOfImageIdToInclude_windows": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Windows OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "listOfImageIdToInclude_linux": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachineScaleSets"
          },
          {
            "not": {
              "anyOf": [
                {
                  "field": "Microsoft.Compute/imageId",
                  "in": "[parameters('listOfImageIdToInclude_windows')]"
                },
                {
                  "field": "Microsoft.Compute/imageId",
                  "in": "[parameters('listOfImageIdToInclude_linux')]"
                },
                {
                  "anyOf": [
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "WindowsServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "2008-R2-SP1",
                            "2008-R2-SP1-smalldisk",
                            "2012-Datacenter",
                            "2012-Datacenter-smalldisk",
                            "2012-R2-Datacenter",
                            "2012-R2-Datacenter-smalldisk",
                            "2016-Datacenter",
                            "2016-Datacenter-Server-Core",
                            "2016-Datacenter-Server-Core-smalldisk",
                            "2016-Datacenter-smalldisk",
                            "2016-Datacenter-with-Containers",
                            "2016-Datacenter-with-RDSH",
                            "2019-Datacenter",
                            "2019-Datacenter-Core",
                            "2019-Datacenter-Core-smalldisk",
                            "2019-Datacenter-Core-with-Containers",
                            "2019-Datacenter-Core-with-Containers-smalldisk",
                            "2019-Datacenter-smalldisk",
                            "2019-Datacenter-with-Containers",
                            "2019-Datacenter-with-Containers-smalldisk",
                            "2019-Datacenter-zhcn"
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "WindowsServerSemiAnnual"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "in": [
                            "Datacenter-Core-1709-smalldisk",
                            "Datacenter-Core-1709-with-Containers-smalldisk",
                            "Datacenter-Core-1803-with-Containers-smalldisk"
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsServerHPCPack"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "WindowsServerHPCPack"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftSQLServer"
                        },
                        {
                          "anyOf": [
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2016"
                            },
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2016-BYOL"
                            },
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2012R2"
                            },
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "like": "*-WS2012R2-BYOL"
                            }
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftRServer"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "MLServer-WS2016"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftVisualStudio"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "in": [
                            "VisualStudio",
                            "Windows"
                          ]
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftDynamicsAX"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "Dynamics"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "equals": "Pre-Req-AX7-Onebox-U8"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftDynamicsAX"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "Dynamics"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "equals": "Pre-Req-AX7-Onebox-V4"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "microsoft-ads"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "windows-data-science-vm"
                        }
                      ]
                    },
                    {
                      "allOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "equals": "MicrosoftWindowsDesktop"
                        },
                        {
                          "field": "Microsoft.Compute/imageOffer",
                          "equals": "Windows-10"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "RedHat"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "RHEL",
                        "RHEL-SAP-HANA"
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "6.*"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "7*"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "SUSE"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "SLES",
                        "SLES-HPC",
                        "SLES-HPC-Priority",
                        "SLES-SAP",
                        "SLES-SAP-BYOS",
                        "SLES-Priority",
                        "SLES-BYOS",
                        "SLES-SAPCAL",
                        "SLES-Standard"
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "12*"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "Canonical"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "UbuntuServer"
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "14.04*LTS"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "16.04*LTS"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "18.04*LTS"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "Oracle"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "Oracle-Linux"
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "6.*"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "7.*"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "OpenLogic"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "CentOS",
                        "Centos-LVM",
                        "CentOS-SRIOV"
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "6.*"
                        },
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "like": "7*"
                        }
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "cloudera"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "cloudera-centos-os"
                    },
                    {
                      "field": "Microsoft.Compute/imageSKU",
                      "like": "7*"
                    }
                  ]
                }
              ]
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
          "existenceCondition": {
            "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher",
            "equals": "Microsoft.EnterpriseCloud.Monitoring"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a true 8 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), Enable Azure Monitor for Virtual Machine Scale Sets (/providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a) n/a
{
  "properties": {
    "displayName": "Log Analytics agent should be installed on your Cloud Services (extended support) role instances",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Security Center collects data from your Cloud Services (extended support) role instances to monitor for security vulnerabilities and threats.",
    "metadata": {
      "version": "2.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/cloudServices"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "45cfe080-ceb1-a91e-9743-71551ed24e94",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/15fdbc87-8a47-4ee9-a2aa-9a2ea1f37554",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "15fdbc87-8a47-4ee9-a2aa-9a2ea1f37554"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.ClassicCompute/virtualMachines",
          "Microsoft.Compute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "d1db3318-01ff-16de-29eb-28b344515626",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a4fe33eb-e377-4efb-ab31-0784311bc499"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachineScaleSets"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "45cfe080-ceb1-a91e-9743-71551ed24e94",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a3a6ea0c-e018-4933-9ef0-5aaa1501449b"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Log Analytics workspaces should block log ingestion and querying from public networks",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.OperationalInsights/workspaces"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.OperationalInsights/workspaces/publicNetworkAccessForIngestion",
                "notEquals": "disabled"
              },
              {
                "field": "Microsoft.OperationalInsights/workspaces/publicNetworkAccessForQuery",
                "notEquals": "disabled"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6c53d030-cc64-46f0-906d-2bc061cd1334",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6c53d030-cc64-46f0-906d-2bc061cd1334"
}
BuiltIn Monitoring False False n/a n/a audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Log Analytics Workspaces should block non-Azure Active Directory based ingestion.",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Deny",
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.OperationalInsights/workspaces"
          },
          {
            "field": "Microsoft.OperationalInsights/workspaces/features.disableLocalAuth",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e15effd4-2278-4c65-a0da-4d6f6d1890e2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e15effd4-2278-4c65-a0da-4d6f6d1890e2"
}
BuiltIn Monitoring False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Log checkpoints should be enabled for PostgreSQL database servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforPostgreSQL/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforPostgreSQL/servers/configurations",
          "name": "log_checkpoints",
          "existenceCondition": {
            "field": "Microsoft.DBforPostgreSQL/servers/configurations/value",
            "equals": "ON"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 2 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c) n/a
{
  "properties": {
    "displayName": "Log connections should be enabled for PostgreSQL database servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforPostgreSQL/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforPostgreSQL/servers/configurations",
          "name": "log_connections",
          "existenceCondition": {
            "field": "Microsoft.DBforPostgreSQL/servers/configurations/value",
            "equals": "ON"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "eb6f77b9-bd53-4e35-a23d-7f65d5f0e442"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 2 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c) n/a
{
  "properties": {
    "displayName": "Log duration should be enabled for PostgreSQL database servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforPostgreSQL/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforPostgreSQL/servers/configurations",
          "name": "log_duration",
          "existenceCondition": {
            "field": "Microsoft.DBforPostgreSQL/servers/configurations/value",
            "equals": "ON"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Logic Apps Integration Service Environment should be encrypted with customer-managed keys",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.",
    "metadata": {
      "version": "1.0.0",
      "category": "Logic Apps"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Logic/integrationServiceEnvironments"
          },
          {
            "field": "Microsoft.Logic/integrationServiceEnvironments/encryptionConfiguration",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5"
}
BuiltIn Logic Apps False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Logic Apps should be deployed into Integration Service Environment",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploying Logic Apps into Integration Service Environment in a virtual network unlocks advanced Logic Apps networking and security features and provides you with greater control over your network configuration. Learn more at: https://aka.ms/integration-service-environment. Deploying into Integration Service Environment also allows encryption with customer-managed keys which provides enhanced data protection by allowing you to manage your encryption keys. This is often to meet compliance requirements.",
    "metadata": {
      "version": "1.0.0",
      "category": "Logic Apps"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Logic/workflows"
          },
          {
            "field": "Microsoft.Logic/workflows/integrationServiceEnvironment",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/dc595cb1-1cde-45f6-8faf-f88874e1c0e1",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "dc595cb1-1cde-45f6-8faf-f88874e1c0e1"
}
BuiltIn Logic Apps False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Long-term geo-redundant backup should be enabled for Azure SQL Databases",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled.",
    "metadata": {
      "version": "2.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers/databases"
          },
          {
            "field": "name",
            "notEquals": "master"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies",
          "name": "default",
          "existenceCondition": {
            "anyOf": [
              {
                "field": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/weeklyRetention",
                "notEquals": "PT0S"
              },
              {
                "field": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/monthlyRetention",
                "notEquals": "PT0S"
              },
              {
                "field": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/yearlyRetention",
                "notEquals": "PT0S"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d38fc420-0735-4ef3-ac11-c806f651a570"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 9 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Machine Learning computes should have local authentication methods disabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling local authentication methods improves security by ensuring that Machine Learning computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy.",
    "metadata": {
      "version": "1.0.0",
      "category": "Machine Learning"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.MachineLearningServices/workspaces/computes"
          },
          {
            "field": "Microsoft.MachineLearningServices/workspaces/computes/disableLocalAuth",
            "notEquals": true
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f"
}
BuiltIn Machine Learning False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Managed disks should be double encrypted with both platform-managed and customer-managed keys",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption.",
    "metadata": {
      "category": "Compute",
      "version": "1.0.0"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/diskEncryptionSets"
          },
          {
            "field": "Microsoft.Compute/diskEncryptionSets/encryptionType",
            "notEquals": "EncryptionAtRestWithPlatformAndCustomerKeys"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ca91455f-eace-4f96-be59-e6e2c35b4816"
}
BuiltIn Compute False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Managed disks should disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc.",
    "metadata": {
      "version": "1.0.0",
      "category": "Compute"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/disks"
          },
          {
            "field": "Microsoft.Compute/disks/networkAccessPolicy",
            "notIn": [
              "DenyAll",
              "AllowPrivate"
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8405fdab-1faf-48aa-b702-999c9c172094"
}
BuiltIn Compute False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://aka.ms/disks-cmk.",
    "metadata": {
      "category": "Compute",
      "version": "2.0.0"
    },
    "parameters": {
      "allowedEncryptionSets": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed disk encryption set",
          "description": "The list of allowed disk encryption sets for managed disks.",
          "strongType": "Microsoft.Compute/diskEncryptionSets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/disks"
              },
              {
                "field": "Microsoft.Compute/disks/managedBy",
                "exists": "False"
              },
              {
                "field": "Microsoft.Compute/disks/encryption.diskEncryptionSetId",
                "notIn": "[parameters('allowedEncryptionSets')]"
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id",
                "notIn": "[parameters('allowedEncryptionSets')]"
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachineScaleSets"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.managedDisk.diskEncryptionSet.id",
                "notIn": "[parameters('allowedEncryptionSets')]"
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachineScaleSets"
              },
              {
                "count": {
                  "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.dataDisks[*]"
                },
                "greater": 0
              },
              {
                "not": {
                  "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id",
                  "in": "[parameters('allowedEncryptionSets')]"
                }
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/galleries/images/versions"
              },
              {
                "not": {
                  "field": "Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.osDiskImage.diskEncryptionSetId",
                  "in": "[parameters('allowedEncryptionSets')]"
                }
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/galleries/images/versions"
              },
              {
                "value": "[length(field('Microsoft.Compute/galleries/images/versions/storageProfile.dataDiskImages[*]'))]",
                "greater": 0
              },
              {
                "not": {
                  "field": "Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.dataDiskImages[*].diskEncryptionSetId",
                  "in": "[parameters('allowedEncryptionSets')]"
                }
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/images"
              },
              {
                "field": "Microsoft.Compute/images/storageProfile.osDisk.diskEncryptionSet.id",
                "notIn": "[parameters('allowedEncryptionSets')]"
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/images"
              },
              {
                "value": "[length(field('Microsoft.Compute/images/storageProfile.dataDisks[*]'))]",
                "greater": 0
              },
              {
                "field": "Microsoft.Compute/images/storageProfile.dataDisks[*].diskEncryptionSet.id",
                "notIn": "[parameters('allowedEncryptionSets')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d461a302-a187-421a-89ac-84acdb4edc04",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d461a302-a187-421a-89ac-84acdb4edc04"
}
BuiltIn Compute False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Managed identity should be used in your API App",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use a managed identity for enhanced authentication security",
    "metadata": {
      "version": "2.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "anyOf": [
              {
                "field": "Microsoft.Web/sites/config/managedServiceIdentityId",
                "exists": "true"
              },
              {
                "field": "Microsoft.Web/sites/config/xmanagedServiceIdentityId",
                "exists": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c4d441f8-f9d9-4a9e-9cef-e82117cb3eef"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Managed identity should be used in your Function App",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use a managed identity for enhanced authentication security",
    "metadata": {
      "version": "2.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "functionapp*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "anyOf": [
              {
                "field": "Microsoft.Web/sites/config/managedServiceIdentityId",
                "exists": "true"
              },
              {
                "field": "Microsoft.Web/sites/config/xmanagedServiceIdentityId",
                "exists": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0da106f2-4ca3-48e8-bc85-c638fe6aea8f"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Managed identity should be used in your Web App",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use a managed identity for enhanced authentication security",
    "metadata": {
      "version": "2.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "anyOf": [
              {
                "field": "Microsoft.Web/sites/config/managedServiceIdentityId",
                "exists": "true"
              },
              {
                "field": "Microsoft.Web/sites/config/xmanagedServiceIdentityId",
                "exists": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2b9ad585-36bc-4615-b300-fd4435808332"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Managed workspace virtual network on Azure Synapse workspaces should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enabling a managed workspace virtual network ensures that your workspace is network isolated from other workspaces. Data integration and Spark resources deployed in this virtual network also provides user level isolation for Spark activities.",
    "metadata": {
      "version": "1.0.0",
      "category": "Synapse"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Synapse/workspaces"
          },
          {
            "field": "Microsoft.Synapse/workspaces/managedVirtualNetwork",
            "notEquals": "default"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2d9dbfa3-927b-4cf0-9d0f-08747f971650"
}
BuiltIn Synapse False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Management ports of virtual machines should be protected with just-in-time network access control",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "805651bc-6ecd-4c73-9b55-97a19d0582d0",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b0f33259-77d7-4c9e-aac6-3aabcfae693c"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 17 IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Management ports should be closed on your virtual machines",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "bc303248-3d14-44c2-96a0-55f5c326b5fe",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "22730e10-96f6-4aac-ad84-9383d35b5917"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 9 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "MariaDB server should use a virtual network service endpoint",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MariaDB while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MariaDB has virtual network service endpoint being used.",
    "metadata": {
      "version": "1.0.2",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforMariaDB/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforMariaDB/servers/virtualNetworkRules",
          "existenceCondition": {
            "field": "Microsoft.DBforMariaDB/servers/virtualNetworkRules/virtualNetworkSubnetId",
            "exists": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/dfbd9a64-6114-48de-a47d-90574dc2e489",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "dfbd9a64-6114-48de-a47d-90574dc2e489"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Metric alert rules should be configured on Batch accounts",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit configuration of metric alert rules on Batch account to enable the required metric",
    "metadata": {
      "version": "1.0.0",
      "category": "Batch"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "metricName": {
        "type": "String",
        "metadata": {
          "displayName": "Metric name",
          "description": "The metric name that an alert rule must be enabled on"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Batch/batchAccounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/alertRules",
          "existenceScope": "Subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/alertRules/isEnabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/alertRules/condition.dataSource.metricName",
                "equals": "[parameters('metricName')]"
              },
              {
                "field": "Microsoft.Insights/alertRules/condition.dataSource.resourceUri",
                "equals": "[concat('/subscriptions/', subscription().subscriptionId, '/resourcegroups/', resourceGroup().name, '/providers/Microsoft.Batch/batchAccounts/', field('name'))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7"
}
BuiltIn Batch False False n/a n/a AuditIfNotExists false 0 n/a true 1 [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8) n/a
{
  "properties": {
    "displayName": "MFA should be enabled accounts with write permissions on your subscription",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "57e98606-6b1e-6193-0e3d-fe621387c16b",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9297c21d-2ed6-4474-b48f-163f75654ce3"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 22 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "94290b00-4d0c-d7b4-7cea-064a9554e681",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "aa633080-8b72-40c4-a2d7-d00c03e80bed"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 21 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "MFA should be enabled on accounts with read permissions on your subscription",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "151e82c5-5341-a74b-1eb0-bc38d2c84bb5",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e3576e28-8b17-4677-84c3-db2990658d64"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 19 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Microsoft Antimalware for Azure should be configured to automatically update protection signatures",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures.",
    "metadata": {
      "version": "1.0.0",
      "category": "Compute"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
            "equals": "Windows"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "IaaSAntimalware"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Security"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion",
                "equals": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c43e4a30-77cb-48ab-a4dd-93f175c63b57"
}
BuiltIn Compute False False n/a n/a AuditIfNotExists false 0 n/a true 3 [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "Microsoft IaaSAntimalware extension should be deployed on Windows servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed.",
    "metadata": {
      "version": "1.0.0",
      "category": "Compute"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/imagePublisher",
            "equals": "MicrosoftWindowsServer"
          },
          {
            "field": "Microsoft.Compute/imageOffer",
            "equals": "WindowsServer"
          },
          {
            "field": "Microsoft.Compute/imageSKU",
            "in": [
              "2008-R2-SP1",
              "2008-R2-SP1-smalldisk",
              "2012-Datacenter",
              "2012-Datacenter-smalldisk",
              "2012-R2-Datacenter",
              "2012-R2-Datacenter-smalldisk",
              "2016-Datacenter",
              "2016-Datacenter-Server-Core",
              "2016-Datacenter-Server-Core-smalldisk",
              "2016-Datacenter-smalldisk",
              "2016-Datacenter-with-Containers",
              "2016-Datacenter-with-RDSH",
              "2019-Datacenter",
              "2019-Datacenter-Core",
              "2019-Datacenter-Core-smalldisk",
              "2019-Datacenter-Core-with-Containers",
              "2019-Datacenter-Core-with-Containers-smalldisk",
              "2019-Datacenter-smalldisk",
              "2019-Datacenter-with-Containers",
              "2019-Datacenter-with-Containers-smalldisk"
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "IaaSAntimalware"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Security"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9b597639-28e4-48eb-b506-56b05d366257"
}
BuiltIn Compute False False n/a n/a AuditIfNotExists false 0 n/a true 4 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "Modify - Configure Azure Event Grid domains to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints.",
    "metadata": {
      "category": "Event Grid",
      "version": "1.0.0"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.EventGrid/domains"
          },
          {
            "field": "Microsoft.EventGrid/domains/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de"
          ],
          "conflictEffect": "audit",
          "operations": [
            {
              "condition": "[greaterOrEquals(requestContext().apiVersion, '2020-04-01-preview')]",
              "operation": "addOrReplace",
              "field": "Microsoft.EventGrid/domains/publicNetworkAccess",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "898e9824-104c-4965-8e0e-5197588fa5d4"
}
BuiltIn Event Grid False False n/a n/a Modify false 0 n/a false 0 n/a 'EventGrid Contributor' (1e241071-0855-49ea-94dc-649edcd759de)
{
  "properties": {
    "displayName": "Modify - Configure Azure Event Grid topics to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints.",
    "metadata": {
      "category": "Event Grid",
      "version": "1.0.0"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.EventGrid/topics"
          },
          {
            "field": "kind",
            "notEquals": "AzureArc"
          },
          {
            "field": "Microsoft.EventGrid/topics/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de"
          ],
          "conflictEffect": "audit",
          "operations": [
            {
              "condition": "[greaterOrEquals(requestContext().apiVersion, '2020-04-01-preview')]",
              "operation": "addOrReplace",
              "field": "Microsoft.EventGrid/topics/publicNetworkAccess",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "36ea4b4b-0f7f-4a54-89fa-ab18f555a172"
}
BuiltIn Event Grid False False n/a n/a Modify false 0 n/a false 0 n/a 'EventGrid Contributor' (1e241071-0855-49ea-94dc-649edcd759de)
{
  "properties": {
    "displayName": "Modify - Configure Azure File Sync to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "The Azure File Sync's internet-accessible public endpoint are disabled by your organizational policy. You may still access the Storage Sync Service via its private endpoint(s).",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.StorageSync/storageSyncServices"
          },
          {
            "field": "Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy",
            "notEquals": "AllowVirtualNetworksOnly"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "conflictEffect": "Audit",
          "operations": [
            {
              "condition": "[greater(requestContext().apiVersion, '2019-10-01')]",
              "operation": "addOrReplace",
              "field": "Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy",
              "value": "AllowVirtualNetworksOnly"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0e07b2e9-6cd9-4c40-9ccb-52817b95133b"
}
BuiltIn Storage False False n/a n/a Modify false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Modify - Configure Azure IoT Hubs to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources.",
    "metadata": {
      "version": "1.0.0",
      "category": "Internet of Things"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Devices/IotHubs"
          },
          {
            "field": "Microsoft.Devices/IotHubs/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "conflictEffect": "audit",
          "operations": [
            {
              "condition": "[greaterOrEquals(requestContext().apiVersion, '2020-03-01')]",
              "operation": "addOrReplace",
              "field": "Microsoft.Devices/IotHubs/publicNetworkAccess",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/114eec6e-5e59-4bad-999d-6eceeb39d582",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "114eec6e-5e59-4bad-999d-6eceeb39d582"
}
BuiltIn Internet of Things False False n/a n/a Modify false 0 n/a false 0 n/a 'Contributor' (b24988ac-6180-42a0-ab88-20f7382dd24c)
{
  "properties": {
    "displayName": "Modify Azure SignalR Service resources to disable public network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.",
    "metadata": {
      "version": "1.0.0",
      "category": "SignalR"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.SignalRService/SignalR"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.SignalRService/SignalR/networkACLs.defaultAction",
                "equals": "Allow"
              },
              {
                "field": "Microsoft.SignalRService/SignalR/networkACLs.publicNetwork.allow",
                "exists": false
              },
              {
                "count": {
                  "field": "Microsoft.SignalRService/SignalR/networkACLs.publicNetwork.allow[*]"
                },
                "greater": 0
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "Audit",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.SignalRService/SignalR/networkACLs.defaultAction",
              "value": "Deny"
            },
            {
              "operation": "addOrReplace",
              "field": "Microsoft.SignalRService/SignalR/networkACLs.publicNetwork.allow",
              "value": []
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/62a3ae95-8169-403e-a2d2-b82141448092",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "62a3ae95-8169-403e-a2d2-b82141448092"
}
BuiltIn SignalR False False n/a n/a Modify false 0 n/a false 0 n/a 'SignalR Contributor' (8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761)
{
  "properties": {
    "displayName": "Monitor missing Endpoint Protection in Azure Security Center",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "af6cd1bd-1635-48cb-bde7-5b15693900b9"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 21 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "MySQL server should use a virtual network service endpoint",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MySQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MySQL has virtual network service endpoint being used.",
    "metadata": {
      "version": "1.0.2",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforMySQL/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforMySQL/servers/virtualNetworkRules",
          "existenceCondition": {
            "field": "Microsoft.DBforMySQL/servers/virtualNetworkRules/virtualNetworkSubnetId",
            "exists": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3375856c-3824-4e0e-ae6a-79e011dd4c47",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3375856c-3824-4e0e-ae6a-79e011dd4c47"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "MySQL servers should use customer-managed keys to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.",
    "metadata": {
      "version": "1.0.4",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforMySQL/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforMySQL/servers/keys",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.DBforMySQL/servers/keys/serverKeyType",
                "equals": "AzureKeyVault"
              },
              {
                "field": "Microsoft.DBforMySQL/servers/keys/uri",
                "notEquals": ""
              },
              {
                "field": "Microsoft.DBforMySQL/servers/keys/uri",
                "exists": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "83cef61d-dbd1-4b20-a4fc-5fbc7da10833"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Network interfaces should disable IP forwarding",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkInterfaces"
          },
          {
            "field": "Microsoft.Network/networkInterfaces/enableIpForwarding",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "88c0b9da-ce96-4b03-9635-f29a937e2900"
}
BuiltIn Network False False n/a n/a n/a true 1 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-ip-forwarding (Deny-IP-Forwarding) true 1 [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8) n/a
{
  "properties": {
    "displayName": "Network interfaces should not have public IPs",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkInterfaces"
          },
          {
            "not": {
              "field": "Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id",
              "notLike": "*"
            }
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "83a86a26-fd1f-447c-b59d-e51f44264114"
}
BuiltIn Network False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Network Watcher flow logs should have traffic analytics enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Traffic analytics analyzes Network Watcher network security group flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkWatchers/flowLogs"
          },
          {
            "anyof": [
              {
                "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled",
                "equals": false
              },
              {
                "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.trafficAnalyticsInterval",
                "notin": [
                  "10",
                  "60"
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2f080164-9f4d-497e-9db6-416dc9f7b48a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2f080164-9f4d-497e-9db6-416dc9f7b48a"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Network Watcher should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.",
    "metadata": {
      "version": "3.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "listOfLocations": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: Locations",
          "description": "Audit if Network Watcher is not enabled for region(s).",
          "strongType": "location",
          "deprecated": true
        },
        "defaultValue": []
      },
      "resourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "NetworkWatcher resource group name",
          "description": "Name of the resource group of NetworkWatcher, such as NetworkWatcherRG. This is the resource group where the Network Watchers are located."
        },
        "defaultValue": "NetworkWatcherRG"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/virtualNetworks"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/networkWatchers",
          "resourceGroupName": "[parameters('resourceGroupName')]",
          "existenceCondition": {
            "field": "location",
            "equals": "[field('location')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b6e2945c-0b7b-40f5-9233-7a5323b5cdc6"
}
BuiltIn Network False False n/a n/a AuditIfNotExists false 0 n/a true 13 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "No child resources in Automation Account",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies the creation of child resources on the Automation Account",
    "metadata": {
      "version": "1.0.0",
      "category": "Automation",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.3290136Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "in": [
              "Microsoft.Automation/automationAccounts/runbooks",
              "Microsoft.Automation/automationAccounts/variables",
              "Microsoft.Automation/automationAccounts/modules",
              "Microsoft.Automation/automationAccounts/credentials",
              "Microsoft.Automation/automationAccounts/connections",
              "Microsoft.Automation/automationAccount/certificates"
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny-AA-child-resources"
}
Custom Automation False False Mg ESJH (ESJH) Deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Non-internet-facing virtual machines should be protected with network security groups",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "a9341235-9389-42f0-a0bf-9bfb57960d44",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bb91dfba-c30d-4263-9add-9c2384e659a6"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Not allowed resource types",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources.",
    "metadata": {
      "version": "2.0.0",
      "category": "General"
    },
    "parameters": {
      "listOfResourceTypesNotAllowed": {
        "type": "Array",
        "metadata": {
          "description": "The list of resource types that cannot be deployed.",
          "displayName": "Not allowed resource types",
          "strongType": "resourceTypes"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "in": "[parameters('listOfResourceTypesNotAllowed')]"
          },
          {
            "value": "[field('type')]",
            "exists": true
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
}
BuiltIn General False False n/a n/a Deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Only approved VM extensions should be installed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy governs the virtual machine extensions that are not approved.",
    "metadata": {
      "version": "1.0.0",
      "category": "Compute"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "approvedExtensions": {
        "type": "Array",
        "metadata": {
          "description": "The list of approved extension types that can be installed. Example: AzureDiskEncryption",
          "displayName": "Approved extensions"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines/extensions"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/extensions/type",
            "notIn": "[parameters('approvedExtensions')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c0e996f8-39cf-4af9-9f45-83fbde810432"
}
BuiltIn Compute False False n/a n/a Audit false 0 n/a true 2 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c) n/a
{
  "properties": {
    "displayName": "Only secure connections to your Azure Cache for Redis should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking",
    "metadata": {
      "version": "1.0.0",
      "category": "Cache"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Cache/redis"
          },
          {
            "field": "Microsoft.Cache/Redis/enableNonSslPort",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "22bee202-a82f-4305-9a2a-6d7f44d4dedb"
}
BuiltIn Cache False False n/a n/a Audit false 0 n/a true 19 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "OS and data disks should be encrypted with a customer-managed key",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk.",
    "metadata": {
      "category": "Compute",
      "version": "2.0.0"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id",
                "exists": "False"
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "value": "[length(field('Microsoft.Compute/virtualMachines/storageProfile.dataDisks'))]",
                "greater": 0
              },
              {
                "field": "Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.id",
                "exists": "False"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id",
                "exists": "False"
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachineScaleSets"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.managedDisk.diskEncryptionSet.id",
                "exists": "False"
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachineScaleSets"
              },
              {
                "count": {
                  "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.dataDisks[*]"
                },
                "greater": 0
              },
              {
                "not": {
                  "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id",
                  "exists": "true"
                }
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/disks"
              },
              {
                "field": "Microsoft.Compute/disks/managedBy",
                "exists": "False"
              },
              {
                "field": "Microsoft.Compute/disks/encryption.diskEncryptionSetId",
                "exists": "False"
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/galleries/images/versions"
              },
              {
                "value": "[length(field('Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.osDiskImage.diskEncryptionSetId'))]",
                "notEquals": "[length(field('Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*]'))]"
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/galleries/images/versions"
              },
              {
                "value": "[length(field('Microsoft.Compute/galleries/images/versions/storageProfile.dataDiskImages[*]'))]",
                "greater": 0
              },
              {
                "anyOf": [
                  {
                    "count": {
                      "field": "Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*]",
                      "where": {
                        "value": "[length(current('Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.dataDiskImages[*].diskEncryptionSetId'))]",
                        "notEquals": "[length(field('Microsoft.Compute/galleries/images/versions/storageProfile.dataDiskImages[*]'))]"
                      }
                    },
                    "greater": 0
                  },
                  {
                    "not": {
                      "field": "Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.dataDiskImages[*].diskEncryptionSetId",
                      "exists": "true"
                    }
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/images"
              },
              {
                "field": "Microsoft.Compute/images/storageProfile.osDisk.diskEncryptionSet.id",
                "exists": "False"
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/images"
              },
              {
                "value": "[length(field('Microsoft.Compute/images/storageProfile.dataDisks[*]'))]",
                "greater": 0
              },
              {
                "not": {
                  "field": "Microsoft.Compute/images/storageProfile.dataDisks[*].diskEncryptionSet.id",
                  "exists": "true"
                }
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "702dd420-7fcc-42c5-afe8-4026edd20fe0"
}
BuiltIn Compute False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "PostgreSQL server should use a virtual network service endpoint",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for PostgreSQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for PostgreSQL has virtual network service endpoint being used.",
    "metadata": {
      "version": "1.0.2",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforPostgreSQL/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforPostgreSQL/servers/virtualNetworkRules",
          "existenceCondition": {
            "field": "Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/virtualNetworkSubnetId",
            "exists": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3c14b034-bcb6-4905-94e7-5b8e98a47b65",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3c14b034-bcb6-4905-94e7-5b8e98a47b65"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "PostgreSQL servers should use customer-managed keys to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.",
    "metadata": {
      "version": "1.0.4",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforPostgreSQL/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforPostgreSQL/servers/keys",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.DBforPostgreSQL/servers/keys/serverKeyType",
                "equals": "AzureKeyVault"
              },
              {
                "field": "Microsoft.DBforPostgreSQL/servers/keys/uri",
                "notEquals": ""
              },
              {
                "field": "Microsoft.DBforPostgreSQL/servers/keys/uri",
                "exists": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "18adea5e-f416-4d0f-8aa8-d24321e3e274"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Private endpoint connections on Automation Accounts should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoint connections allow secure communication by enabling private connectivity to Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security",
    "metadata": {
      "version": "1.0.0",
      "category": "Automation"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Automation/automationAccounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Automation/automationAccounts/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Automation/automationAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0c2b3618-68a8-4034-a150-ff4abc873462",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0c2b3618-68a8-4034-a150-ff4abc873462"
}
BuiltIn Automation False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Private endpoint connections on Azure SQL Database should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.",
    "metadata": {
      "version": "1.1.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "count": {
              "field": "Microsoft.Sql/servers/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.Sql/servers/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7698e800-9299-47a6-b3b6-5a0fee576eed"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Private endpoint connections on Batch accounts should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at https://docs.microsoft.com/azure/batch/private-connectivity.",
    "metadata": {
      "version": "1.0.0",
      "category": "Batch"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Batch/batchAccounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Batch/batchAccounts/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Batch/batchAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/009a0c92-f5b4-4776-9b66-4ed2b4775563",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "009a0c92-f5b4-4776-9b66-4ed2b4775563"
}
BuiltIn Batch False False n/a n/a AuditIfNotExists false 0 n/a true 1 New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a) n/a
{
  "properties": {
    "displayName": "Private endpoint should be enabled for IoT Hub",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoint connections enforce secure communication by enabling private connectivity to IoT Hub. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.",
    "metadata": {
      "version": "1.0.0",
      "category": "Internet of Things"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Devices/IotHubs"
          },
          {
            "count": {
              "field": "Microsoft.Devices/IotHubs/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.Devices/IotHubs/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0d40b058-9f95-4a19-93e3-9b0330baa2a3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0d40b058-9f95-4a19-93e3-9b0330baa2a3"
}
BuiltIn Internet of Things False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Private endpoint should be enabled for MariaDB servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.",
    "metadata": {
      "version": "1.0.2",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforMariaDB/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforMariaDB/servers/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.DBforMariaDB/servers/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0a1302fb-a631-4106-9753-f3d494733990"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Private endpoint should be enabled for MySQL servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.",
    "metadata": {
      "version": "1.0.2",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforMySQL/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforMySQL/servers/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.DBforMySQL/servers/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7595c971-233d-4bcf-bd18-596129188c49"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Private endpoint should be enabled for PostgreSQL servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.",
    "metadata": {
      "version": "1.0.2",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforPostgreSQL/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforPostgreSQL/servers/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.DBforPostgreSQL/servers/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0564d078-92f5-4f97-8398-b9f58a51f70b"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Private endpoints for Guest Configuration assignments should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure.",
    "metadata": {
      "version": "1.0.0",
      "category": "Guest Configuration"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.GuestConfiguration/guestConfigurationAssignments"
          },
          {
            "field": "id",
            "contains": "Microsoft.Compute/virtualMachines"
          },
          {
            "not": {
              "anyof": [
                {
                  "field": "[concat('tags[', 'EnablePrivateNeworkGC', ']')]",
                  "equals": "TRUE"
                },
                {
                  "field": "[concat('tags[', 'EnablePrivateNetworkGC', ']')]",
                  "equals": "TRUE"
                }
              ]
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/480d0f91-30af-4a76-9afb-f5710ac52b09",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "480d0f91-30af-4a76-9afb-f5710ac52b09"
}
BuiltIn Guest Configuration False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Public IP addresses should have resource logs enabled for Azure DDoS Protection Standard",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable resource logs for public IP addressess in diagnostic settings to stream to a Log Analytics workspace. Get detailed visibility into attack traffic and actions taken to mitigate DDoS attacks via notifications, reports and flow logs.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Diagnostic setting name",
          "description": "Profile name for the Azure diagnostic settings resource"
        }
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "The target Log Analytics workspace for the diagnostic settings",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable Logs",
          "description": "Enable Logs - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable Metrics",
          "description": "Enable Metrics - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/publicIPAddresses"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('LogsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('MetricsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('name'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "DDoSProtectionNotifications",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "DDoSMitigationFlowLogs",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "DDoSMitigationReports",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat(parameters('logAnalytics'), 'configured for resource logs for ', ': ', parameters('name'))]"
                  }
                }
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "name": {
                  "value": "[field('name')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "752154a7-1e0f-45c6-a880-ac75a7e4f648"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a 'Log Analytics Contributor' (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
{
  "properties": {
    "displayName": "Public network access on AKS API should be disabled",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies  the creation of  Azure Kubernetes Service non-private clusters",
    "metadata": {
      "version": "1.0.0",
      "category": "Kubernetes",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4994662Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerService/managedClusters"
          },
          {
            "field": "Microsoft.ContainerService/managedClusters/apiServerAccessProfile.enablePrivateCluster",
            "notequals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-Aks",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny-PublicEndpoint-Aks"
}
Custom Kubernetes False False Mg ESJH (ESJH) Deny false 0 n/a true 1 Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) n/a
{
  "properties": {
    "displayName": "Public network access on Azure Data Factory should be disabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Data Factory"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DataFactory/factories"
          },
          {
            "field": "Microsoft.DataFactory/factories/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1cf164be-6819-4a50-b8fa-4bcaa4f98fb6"
}
BuiltIn Data Factory False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Public network access on Azure IoT Hub should be disabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Internet of Things"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Devices/IotHubs"
          },
          {
            "field": "Microsoft.Devices/IotHubs/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2d6830fb-07eb-48e7-8c4d-2a442b35f0fb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2d6830fb-07eb-48e7-8c4d-2a442b35f0fb"
}
BuiltIn Internet of Things False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Public network access on Azure SQL Database should be disabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.",
    "metadata": {
      "version": "1.1.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "field": "Microsoft.Sql/servers/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1b8ca024-1d5c-4dec-8995-b1a932b41780"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Public network access on Azure SQL Database should be disabled",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies creation of Sql servers with exposed public endpoints",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5127467Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "field": "Microsoft.Sql/servers/publicNetworkAccess",
            "notequals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-Sql",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny-PublicEndpoint-Sql"
}
Custom SQL False False Mg ESJH (ESJH) Deny false 0 n/a true 1 Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) n/a
{
  "properties": {
    "displayName": "Public network access onStorage accounts should be disabled",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4973149Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
            "notequals": "Deny"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-Storage",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny-PublicEndpoint-Storage"
}
Custom Storage False False Mg ESJH (ESJH) Deny false 0 n/a true 1 Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) n/a
{
  "properties": {
    "displayName": "Public network access should be disabled for Azure File Sync",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.StorageSync/storageSyncServices"
          },
          {
            "field": "Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy",
            "notEquals": "AllowVirtualNetworksOnly"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "21a8cd35-125e-4d13-b82d-2e19b7208bb7"
}
BuiltIn Storage False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Public network access should be disabled for Batch accounts",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity.",
    "metadata": {
      "version": "1.0.0",
      "category": "Batch"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The desired effect of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Batch/batchAccounts"
          },
          {
            "field": "Microsoft.Batch/batchAccounts/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "74c5a0ae-5e48-4738-b093-65e23a060488"
}
BuiltIn Batch False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Public network access should be disabled for Container registries",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources. Learn more at: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link.",
    "metadata": {
      "version": "1.0.0",
      "category": "Container Registry"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerRegistry/registries"
          },
          {
            "field": "Microsoft.ContainerRegistry/registries/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0fdf0491-d080-4575-b627-ad0e843cba0f"
}
BuiltIn Container Registry False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Public network access should be disabled for CosmosDB",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies that  Cosmos database accounts  are created with out public network access is disabled.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.8995781Z",
      "updatedBy": "acf4c68f-7b15-4d70-935b-26116fc2426a",
      "updatedOn": "2021-07-15T15:15:07.6208973Z"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "field": "Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess",
            "notequals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-CosmosDB",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny-PublicEndpoint-CosmosDB"
}
Custom SQL False False Mg ESJH (ESJH) Deny false 0 n/a true 1 Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) n/a
{
  "properties": {
    "displayName": "Public network access should be disabled for KeyVault",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints",
    "metadata": {
      "version": "1.0.0",
      "category": "Key Vault",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4941318Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
            "notequals": "Deny"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-KeyVault",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny-PublicEndpoint-KeyVault"
}
Custom Key Vault False False Mg ESJH (ESJH) Deny false 0 n/a true 1 Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) n/a
{
  "properties": {
    "displayName": "Public network access should be disabled for MariaDB",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.3939506Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforMariaDB/servers"
          },
          {
            "field": "Microsoft.DBforMariaDB/servers/publicNetworkAccess",
            "notequals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny-PublicEndpoint-MariaDB"
}
Custom SQL False False Mg ESJH (ESJH) Deny false 0 n/a true 1 Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) n/a
{
  "properties": {
    "displayName": "Public network access should be disabled for MariaDB servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.",
    "metadata": {
      "version": "1.0.2",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforMariaDB/servers"
          },
          {
            "field": "Microsoft.DBforMariaDB/servers/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "fdccbe47-f3e3-4213-ad5d-ea459b2fa077"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Public network access should be disabled for MySQL",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies creation of MySql DB accounts with exposed public endpoints",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.5154942Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforMySQL/servers"
          },
          {
            "field": "Microsoft.DBforMySQL/servers/publicNetworkAccess",
            "notequals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MySQL",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny-PublicEndpoint-MySQL"
}
Custom SQL False False Mg ESJH (ESJH) Deny false 0 n/a true 1 Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) n/a
{
  "properties": {
    "displayName": "Public network access should be disabled for MySQL flexible servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforMySQL/flexibleServers"
          },
          {
            "field": "Microsoft.DBforMySQL/flexibleServers/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c9299215-ae47-4f50-9c54-8a392f68a052"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a true 1 [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "Public network access should be disabled for MySQL servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.",
    "metadata": {
      "version": "1.0.2",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforMySQL/servers"
          },
          {
            "field": "Microsoft.DBforMySQL/servers/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d9844e8a-1437-4aeb-a32c-0c992f056095"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Public network access should be disabled for PostgreSql",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies creation of Postgre SQL DB accounts with exposed public endpoints",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4731381Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforPostgreSQL/servers"
          },
          {
            "field": "Microsoft.DBforPostgreSQL/servers/publicNetworkAccess",
            "notequals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-PostgreSql",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny-PublicEndpoint-PostgreSql"
}
Custom SQL False False Mg ESJH (ESJH) Deny false 0 n/a true 1 Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints) n/a
{
  "properties": {
    "displayName": "Public network access should be disabled for PostgreSQL flexible servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforPostgreSQL/flexibleServers"
          },
          {
            "field": "Microsoft.DBforPostgreSQL/flexibleServers/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5e1de0e3-42cb-4ebc-a86d-61d0c619ca48"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a true 1 [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "Public network access should be disabled for PostgreSQL servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.",
    "metadata": {
      "version": "1.0.2",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforPostgreSQL/servers"
          },
          {
            "field": "Microsoft.DBforPostgreSQL/servers/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b52376f7-9612-48a1-81cd-1ffe4b61032c"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "RDP access from the Internet should be blocked",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits any network security rule that allows RDP access from Internet",
    "metadata": {
      "version": "2.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
          },
          {
            "allOf": [
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
                "equals": "Allow"
              },
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
                "equals": "Inbound"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                    "equals": "*"
                  },
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                    "equals": "3389"
                  },
                  {
                    "value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]",
                    "equals": "true"
                  },
                  {
                    "count": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                      "where": {
                        "value": "[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]",
                        "equals": "true"
                      }
                    },
                    "greater": 0
                  },
                  {
                    "not": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                      "notEquals": "*"
                    }
                  },
                  {
                    "not": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                      "notEquals": "3389"
                    }
                  }
                ]
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                    "equals": "*"
                  },
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                    "equals": "Internet"
                  },
                  {
                    "not": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
                      "notEquals": "*"
                    }
                  },
                  {
                    "not": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
                      "notEquals": "Internet"
                    }
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e372f825-a257-4fb8-9175-797a8a8627d6"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a true 4 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b) n/a
{
  "properties": {
    "displayName": "RDP access from the Internet should be blocked",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies any network security rule that allows RDP access from Internet",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.669552Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
          },
          {
            "allOf": [
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
                "equals": "Allow"
              },
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
                "equals": "Inbound"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                    "equals": "*"
                  },
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                    "equals": "3389"
                  },
                  {
                    "value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]",
                    "equals": "true"
                  },
                  {
                    "count": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                      "where": {
                        "value": "[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]",
                        "equals": "true"
                      }
                    },
                    "greater": 0
                  },
                  {
                    "not": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                      "notEquals": "*"
                    }
                  },
                  {
                    "not": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                      "notEquals": "3389"
                    }
                  }
                ]
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                    "equals": "*"
                  },
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                    "equals": "Internet"
                  },
                  {
                    "not": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
                      "notEquals": "*"
                    }
                  },
                  {
                    "not": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
                      "notEquals": "Internet"
                    }
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny-RDP-From-Internet"
}
Custom Network False False Mg ESJH (ESJH) Deny true 1 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-rdp-from-internet (Deny-RDP-from-Internet) false 0 n/a n/a
{
  "properties": {
    "displayName": "Remote debugging should be turned off for API Apps",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/remoteDebuggingEnabled",
            "equals": "false"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e9c8d085-d9cc-4b17-9cdc-059f1f01f19e"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 17 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Remote debugging should be turned off for Function Apps",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "functionapp*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.remoteDebuggingEnabled",
            "equals": "false"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0e60b895-3786-45da-8377-9c6b4b6ac5f9"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 17 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Remote debugging should be turned off for Web Applications",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.remoteDebuggingEnabled",
            "equals": "false"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "cb510bfd-1cba-4d9f-a230-cb0976f4bb71"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a true 17 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Require a tag and its value on resource groups",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Enforces a required tag and its value on resource groups.",
    "metadata": {
      "version": "1.0.0",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag, such as 'production'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "notEquals": "[parameters('tagValue')]"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8ce3da23-7156-49e4-b145-24f95f9dcb46"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Require a tag and its value on resources",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enforces a required tag and its value. Does not apply to resource groups.",
    "metadata": {
      "version": "1.0.1",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag, such as 'production'"
        }
      }
    },
    "policyRule": {
      "if": {
        "not": {
          "field": "[concat('tags[', parameters('tagName'), ']')]",
          "equals": "[parameters('tagValue')]"
        }
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1e30110a-5ceb-460c-a204-c1c3969c6d62"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Require a tag on resource groups",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Enforces existence of a tag on resource groups.",
    "metadata": {
      "version": "1.0.0",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "96670d01-0a4d-4649-9c89-2d3abc0a5025"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Require a tag on resources",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enforces existence of a tag. Does not apply to resource groups.",
    "metadata": {
      "version": "1.0.1",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "[concat('tags[', parameters('tagName'), ']')]",
        "exists": "false"
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "871b6d14-10aa-478d-b590-94f262ecfa99"
}
BuiltIn Tags False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Require automatic OS image patching on Virtual Machine Scale Sets",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month.",
    "metadata": {
      "version": "1.0.0",
      "category": "Compute"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachineScaleSets"
          },
          {
            "field": "Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade",
            "notEquals": "True"
          },
          {
            "field": "Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade",
            "notEquals": "True"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "465f0161-0087-490a-9ad9-ad6217f4f43a"
}
BuiltIn Compute False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Require encryption on Data Lake Store accounts",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy ensures encryption is enabled on all Data Lake Store accounts",
    "metadata": {
      "version": "1.0.0",
      "category": "Data Lake"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DataLakeStore/accounts"
          },
          {
            "field": "Microsoft.DataLakeStore/accounts/encryptionState",
            "equals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a7ff3161-0087-490a-9ad9-ad6217f4f43a"
}
BuiltIn Data Lake False False n/a n/a n/a false 0 n/a true 2 HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "Resource logs in App Services should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (days)",
          "description": "The required resource logs retention in days"
        },
        "defaultValue": "365"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "notContains": "functionapp"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "count": {
              "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
              "where": {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "equals": "0"
                          },
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "greaterOrEquals": "[parameters('requiredRetentionDays')]"
                          }
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                            "notEquals": "true"
                          },
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",
                            "exists": false
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "91a78b24-f231-4a8a-8da9-02c35b2b6510"
}
BuiltIn App Service False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Resource logs in Azure Data Lake Store should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised",
    "metadata": {
      "version": "5.0.0",
      "category": "Data Lake"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (days)",
          "description": "The required resource logs retention in days"
        },
        "defaultValue": "365"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DataLakeStore/accounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "count": {
              "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
              "where": {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "equals": "0"
                          },
                          {
                            "value": "[padLeft(current('Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days'), 3, '0')]",
                            "greaterOrEquals": "[padLeft(parameters('requiredRetentionDays'), 3, '0')]"
                          }
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                            "notEquals": "true"
                          },
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",
                            "exists": false
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "057ef27e-665e-4328-8ea3-04b3122bd9fb"
}
BuiltIn Data Lake False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Resource logs in Azure Key Vault Managed HSM should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging.",
    "metadata": {
      "version": "1.0.0",
      "category": "Key Vault"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (days)",
          "description": "The required resource logs retention in days"
        },
        "defaultValue": "365"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.KeyVault/managedHsms"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "count": {
              "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
              "where": {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "equals": "0"
                          },
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "equals": "[parameters('requiredRetentionDays')]"
                          }
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                            "notEquals": "true"
                          },
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",
                            "exists": false
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a2a5b911-5617-447e-a49e-59dbe0e0434b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a2a5b911-5617-447e-a49e-59dbe0e0434b"
}
BuiltIn Key Vault False False n/a n/a AuditIfNotExists false 0 n/a true 2 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) n/a
{
  "properties": {
    "displayName": "Resource logs in Azure Stream Analytics should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised",
    "metadata": {
      "version": "5.0.0",
      "category": "Stream Analytics"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (days)",
          "description": "The required resource logs retention in days"
        },
        "defaultValue": "365"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.StreamAnalytics/streamingJobs"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "count": {
              "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
              "where": {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "equals": "0"
                          },
                          {
                            "value": "[padLeft(current('Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days'), 3, '0')]",
                            "greaterOrEquals": "[padLeft(parameters('requiredRetentionDays'), 3, '0')]"
                          }
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                            "notEquals": "true"
                          },
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",
                            "exists": false
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f9be5368-9bf5-4b84-9e0a-7850da98bb46"
}
BuiltIn Stream Analytics False False n/a n/a AuditIfNotExists false 0 n/a true 11 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Resource logs in Batch accounts should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised",
    "metadata": {
      "version": "5.0.0",
      "category": "Batch"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (days)",
          "description": "The required resource logs retention in days"
        },
        "defaultValue": "365"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Batch/batchAccounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "count": {
              "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
              "where": {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "equals": "0"
                          },
                          {
                            "value": "[padLeft(current('Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days'), 3, '0')]",
                            "greaterOrEquals": "[padLeft(parameters('requiredRetentionDays'), 3, '0')]"
                          }
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                            "notEquals": "true"
                          },
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",
                            "exists": false
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "428256e6-1fac-4f48-a757-df34c2b3336d"
}
BuiltIn Batch False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Resource logs in Data Lake Analytics should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised",
    "metadata": {
      "version": "5.0.0",
      "category": "Data Lake"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (days)",
          "description": "The required resource logs retention in days"
        },
        "defaultValue": "365"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DataLakeAnalytics/accounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "count": {
              "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
              "where": {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "equals": "0"
                          },
                          {
                            "value": "[padLeft(current('Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days'), 3, '0')]",
                            "greaterOrEquals": "[padLeft(parameters('requiredRetentionDays'), 3, '0')]"
                          }
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                            "notEquals": "true"
                          },
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",
                            "exists": false
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c95c74d9-38fe-4f0d-af86-0c7d626a315c"
}
BuiltIn Data Lake False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Resource logs in Event Hub should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised",
    "metadata": {
      "version": "5.0.0",
      "category": "Event Hub"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (days)",
          "description": "The required resource logs retention in days"
        },
        "defaultValue": "365"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.EventHub/namespaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "count": {
              "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
              "where": {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "equals": "0"
                          },
                          {
                            "value": "[padLeft(current('Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days'), 3, '0')]",
                            "greaterOrEquals": "[padLeft(parameters('requiredRetentionDays'), 3, '0')]"
                          }
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                            "notEquals": "true"
                          },
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",
                            "exists": false
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "83a214f7-d01a-484b-91a9-ed54470c9a6a"
}
BuiltIn Event Hub False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Resource logs in IoT Hub should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised",
    "metadata": {
      "version": "3.0.1",
      "category": "Internet of Things"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (days)",
          "description": "The required resource logs retention in days"
        },
        "defaultValue": "365"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Devices/IotHubs"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "count": {
              "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
              "where": {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "equals": "0"
                          },
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "greaterOrEquals": "[parameters('requiredRetentionDays')]"
                          }
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "not": {
                          "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                          "equals": "true"
                        }
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      }
                    ]
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "383856f8-de7f-44a2-81fc-e5135b5c2aa4"
}
BuiltIn Internet of Things False False n/a n/a AuditIfNotExists false 0 n/a true 11 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Resource logs in Key Vault should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised",
    "metadata": {
      "version": "5.0.0",
      "category": "Key Vault"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (days)",
          "description": "The required resource logs retention in days"
        },
        "defaultValue": "365"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.KeyVault/vaults"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "count": {
              "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
              "where": {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "equals": "0"
                          },
                          {
                            "value": "[padLeft(current('Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days'), 3, '0')]",
                            "greaterOrEquals": "[padLeft(parameters('requiredRetentionDays'), 3, '0')]"
                          }
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                            "notEquals": "true"
                          },
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",
                            "exists": false
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "cf820ca0-f99e-4f3e-84fb-66e913812d21"
}
BuiltIn Key Vault False False n/a n/a AuditIfNotExists false 0 n/a true 11 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Resource logs in Logic Apps should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised",
    "metadata": {
      "version": "5.0.0",
      "category": "Logic Apps"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (days)",
          "description": "The required resource logs retention in days"
        },
        "defaultValue": "365"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Logic/workflows"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "count": {
              "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
              "where": {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "equals": "0"
                          },
                          {
                            "value": "[padLeft(current('Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days'), 3, '0')]",
                            "greaterOrEquals": "[padLeft(parameters('requiredRetentionDays'), 3, '0')]"
                          }
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                            "notEquals": "true"
                          },
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",
                            "exists": false
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "34f95f76-5386-4de7-b824-0d8478470c9d"
}
BuiltIn Logic Apps False False n/a n/a AuditIfNotExists false 0 n/a true 11 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Resource logs in Search services should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised",
    "metadata": {
      "version": "5.0.0",
      "category": "Search"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (days)",
          "description": "The required resource logs retention in days"
        },
        "defaultValue": "365"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Search/searchServices"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "count": {
              "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
              "where": {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "equals": "0"
                          },
                          {
                            "value": "[padLeft(current('Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days'), 3, '0')]",
                            "greaterOrEquals": "[padLeft(parameters('requiredRetentionDays'), 3, '0')]"
                          }
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                            "notEquals": "true"
                          },
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",
                            "exists": false
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b4330a05-a843-4bc8-bf9a-cacce50c67f4"
}
BuiltIn Search False False n/a n/a AuditIfNotExists false 0 n/a true 11 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Resource logs in Service Bus should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised",
    "metadata": {
      "version": "5.0.0",
      "category": "Service Bus"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (days)",
          "description": "The required resource logs retention in days"
        },
        "defaultValue": "365"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ServiceBus/namespaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "count": {
              "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
              "where": {
                "anyOf": [
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "equals": "0"
                          },
                          {
                            "value": "[padLeft(current('Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days'), 3, '0')]",
                            "greaterOrEquals": "[padLeft(parameters('requiredRetentionDays'), 3, '0')]"
                          }
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                            "notEquals": "true"
                          },
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",
                            "exists": false
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f8d36e2f-389b-4ee4-898d-21aeb69a0f45"
}
BuiltIn Service Bus False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Resource logs in Virtual Machine Scale Sets should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.",
    "metadata": {
      "version": "2.0.1",
      "category": "Compute"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "includeAKSClusters": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Include AKS Clusters",
          "description": "Whether to include AKS Clusters to resource logs extension - True or False"
        },
        "defaultValue": false
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachineScaleSets"
              },
              {
                "value": "[parameters('includeAKSClusters')]",
                "equals": true
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachineScaleSets"
              },
              {
                "value": "[parameters('includeAKSClusters')]",
                "equals": false
              },
              {
                "field": "Microsoft.Compute/imagePublisher",
                "notEquals": "microsoft-aks"
              },
              {
                "field": "Microsoft.Compute/imageOffer",
                "notEquals": "aks"
              },
              {
                "field": "Microsoft.Compute/imageSKU",
                "notLike": "aks*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
          "existenceCondition": {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type",
                    "equals": "IaaSDiagnostics"
                  },
                  {
                    "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher",
                    "equals": "Microsoft.Azure.Diagnostics"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type",
                    "equals": "LinuxDiagnostic"
                  },
                  {
                    "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher",
                    "in": [
                      "Microsoft.OSTCExtensions",
                      "Microsoft.Azure.Diagnostics"
                    ]
                  }
                ]
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7c1b1214-f927-48bf-8882-84f0af6588b1"
}
BuiltIn Compute False False n/a n/a AuditIfNotExists false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Role-Based Access Control (RBAC) should be used on Kubernetes Services",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.",
    "metadata": {
      "version": "1.0.2",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerService/managedClusters"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.ContainerService/managedClusters/enableRBAC",
                "exists": "false"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/enableRBAC",
                "equals": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"
}
BuiltIn Security Center False False n/a n/a Audit false 0 n/a true 10 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f) n/a
{
  "properties": {
    "displayName": "Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.OperationalInsights/workspaces"
          },
          {
            "not": {
              "field": "Microsoft.OperationalInsights/workspaces/forceCmkForQuery",
              "equals": "true"
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/fa298e57-9444-42ba-bf04-86e8470e32c7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "fa298e57-9444-42ba-bf04-86e8470e32c7"
}
BuiltIn Monitoring False False n/a n/a audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Secure transfer to storage accounts should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking",
    "metadata": {
      "version": "2.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "value": "[requestContext().apiVersion]",
                    "less": "2019-04-01"
                  },
                  {
                    "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
                    "exists": "false"
                  }
                ]
              },
              {
                "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
                "equals": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "404c3081-a854-4457-ae30-26a93ef643f9"
}
BuiltIn Storage False False n/a n/a Audit true 1 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-storage-http (Enforce-Secure-Storage) true 21 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Security Center standard pricing tier should be selected",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Security/pricings"
          },
          {
            "field": "Microsoft.Security/pricings/pricingTier",
            "exists": "true"
          },
          {
            "field": "Microsoft.Security/pricings/pricingTier",
            "notEquals": "Standard"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a1181c5f-672a-477a-979a-7d58aa086233"
}
BuiltIn Security Center False False n/a n/a Audit false 0 n/a true 1 [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "Service Bus namespaces should have double encryption enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys.",
    "metadata": {
      "version": "1.0.0",
      "category": "Service Bus"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the audit policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ServiceBus/namespaces"
          },
          {
            "field": "Microsoft.ServiceBus/namespaces/sku.tier",
            "equals": "Premium"
          },
          {
            "field": "Microsoft.ServiceBus/namespaces/encryption.requireInfrastructureEncryption",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ebaf4f25-a4e8-415f-86a8-42d9155bef0b"
}
BuiltIn Service Bus False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Service Bus Premium namespaces should use a customer-managed key for encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces.",
    "metadata": {
      "version": "1.0.0",
      "category": "Service Bus"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ServiceBus/namespaces"
          },
          {
            "field": "Microsoft.ServiceBus/namespaces/sku.tier",
            "equals": "Premium"
          },
          {
            "not": {
              "field": "Microsoft.ServiceBus/namespaces/encryption.keySource",
              "equals": "Microsoft.Keyvault"
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "295fc8b1-dc9f-4f53-9c61-3f313ceab40a"
}
BuiltIn Service Bus False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed",
    "metadata": {
      "version": "1.1.0",
      "category": "Service Fabric"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ServiceFabric/clusters"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.ServiceFabric/clusters/fabricSettings[*].name",
                "notEquals": "Security"
              },
              {
                "field": "Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name",
                "notEquals": "ClusterProtectionLevel"
              },
              {
                "field": "Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value",
                "notEquals": "EncryptAndSign"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "617c02be-7f02-4efd-8836-3180d47b6c68"
}
BuiltIn Service Fabric False False n/a n/a Audit false 0 n/a true 11 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Service Fabric clusters should only use Azure Active Directory for client authentication",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit usage of client authentication only via Azure Active Directory in Service Fabric",
    "metadata": {
      "version": "1.1.0",
      "category": "Service Fabric"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ServiceFabric/clusters"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId",
                "exists": "false"
              },
              {
                "field": "Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId",
                "equals": ""
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b54ed75b-3e1a-44ac-a333-05ba39b99ff0"
}
BuiltIn Service Fabric False False n/a n/a Audit false 0 n/a true 15 IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Service principals should be used to protect your subscriptions instead of management certificates",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Resources/subscriptions"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "2acd365d-e8b5-4094-bce4-244b7c51d67c",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6646a0bd-e110-40ca-bb97-84fcee63c414"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Shared dashboards should not have markdown tiles with inline content",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disallow creating a shared dashboard that has inline content in markdown tiles and enforce that the content should be stored as a markdown file that's hosted online. If you use inline content in the markdown tile, you cannot manage encryption of the content. By configuring your own storage, you can encrypt, double encrypt and even bring your own keys. Enabling this policy restricts users to use 2020-09-01-preview or above version of shared dashboards REST API.",
    "metadata": {
      "version": "1.0.0",
      "category": "Portal"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Portal/dashboards"
          },
          {
            "anyof": [
              {
                "not": {
                  "value": "[requestContext().apiVersion]",
                  "greaterOrEquals": "2020-09-01-alpha"
                }
              },
              {
                "count": {
                  "field": "Microsoft.Portal/dashboards/lenses[*].parts[*]",
                  "where": {
                    "allOf": [
                      {
                        "field": "Microsoft.Portal/dashboards/lenses[*].parts[*].metadata.type",
                        "equals": "Extension/HubsExtension/PartType/MarkdownPart"
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Portal/dashboards/lenses[*].parts[*].metadata.Extension-HubsExtension-PartType-MarkdownPart.settings.content.settings.markdownUri",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Portal/dashboards/lenses[*].parts[*].metadata.Extension-HubsExtension-PartType-MarkdownPart.settings.content.settings.markdownSource",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Portal/dashboards/lenses[*].parts[*].metadata.Extension-HubsExtension-PartType-MarkdownPart.settings.content.settings.markdownSource",
                            "equals": "1"
                          }
                        ]
                      }
                    ]
                  }
                },
                "greater": 0
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/04c655fe-0ac7-48ae-9a32-3a2e208c7624",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "04c655fe-0ac7-48ae-9a32-3a2e208c7624"
}
BuiltIn Portal False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "SQL Auditing settings should have Action-Groups configured to capture critical activities",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/auditingSettings",
          "name": "default",
          "existenceCondition": {
            "allOf": [
              {
                "not": {
                  "field": "Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]",
                  "notEquals": "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]",
                  "notEquals": "FAILED_DATABASE_AUTHENTICATION_GROUP"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]",
                  "notEquals": "BATCH_COMPLETED_GROUP"
                }
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7ff426e2-515f-405a-91c8-4f2333442eb5"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 2 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92) n/a
{
  "properties": {
    "displayName": "SQL Database should avoid using GRS backup redundancy",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL.",
    "metadata": {
      "version": "2.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers/databases"
          },
          {
            "field": "Microsoft.Sql/servers/databases/edition",
            "notEquals": "DataWarehouse"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "value": "[requestContext().apiVersion]",
                    "lessOrEquals": "2020-08-01-preview"
                  },
                  {
                    "not": {
                      "anyOf": [
                        {
                          "field": "Microsoft.Sql/servers/databases/storageAccountType",
                          "equals": "LRS"
                        },
                        {
                          "field": "Microsoft.Sql/servers/databases/storageAccountType",
                          "equals": "ZRS"
                        }
                      ]
                    }
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "value": "[requestContext().apiVersion]",
                    "greater": "2020-08-01-preview"
                  },
                  {
                    "not": {
                      "anyOf": [
                        {
                          "field": "Microsoft.Sql/servers/databases/requestedBackupStorageRedundancy",
                          "equals": "Local"
                        },
                        {
                          "field": "Microsoft.Sql/servers/databases/requestedBackupStorageRedundancy",
                          "equals": "Zone"
                        }
                      ]
                    }
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13"
}
BuiltIn SQL False False n/a n/a Deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "SQL databases should have vulnerability findings resolved",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.",
    "metadata": {
      "version": "4.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Sql/servers",
          "Microsoft.Sql/managedinstances"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "82e20e14-edc5-4373-bfc4-f13121257c37",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "feedbf84-6b99-488c-acc2-71c829aa5ffc"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 20 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.",
    "metadata": {
      "version": "1.0.1",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/managedInstances"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Sql/managedInstances/minimalTlsVersion",
                "exists": false
              },
              {
                "field": "Microsoft.Sql/managedInstances/minimalTlsVersion",
                "notEquals": "1.2"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a8793640-60f7-487c-b5c3-1d37215905c4"
}
BuiltIn SQL False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "SQL Managed Instances should avoid using GRS backup redundancy",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL.",
    "metadata": {
      "version": "1.0.1",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/managedInstances"
          },
          {
            "not": {
              "anyOf": [
                {
                  "field": "Microsoft.Sql/managedInstances/storageAccountType",
                  "equals": "LRS"
                },
                {
                  "field": "Microsoft.Sql/managedInstances/storageAccountType",
                  "equals": "ZRS"
                }
              ]
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a9934fd7-29f2-4e6d-ab3d-607ea38e9079",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a9934fd7-29f2-4e6d-ab3d-607ea38e9079"
}
BuiltIn SQL False False n/a n/a Deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "SQL managed instances should use customer-managed keys to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.",
    "metadata": {
      "version": "1.0.2",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/managedInstances"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/managedInstances/encryptionProtector",
          "name": "current",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType",
                "equals": "AzureKeyVault"
              },
              {
                "field": "Microsoft.Sql/managedInstances/encryptionProtector/uri",
                "notEquals": ""
              },
              {
                "field": "Microsoft.Sql/managedInstances/encryptionProtector/uri",
                "exists": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "048248b0-55cd-46da-b1ff-39efd52db260"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 12 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access.",
    "metadata": {
      "version": "2.0.0",
      "category": "Data Factory"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DataFactory/factories/integrationRuntimes"
          },
          {
            "field": "Microsoft.DataFactory/factories/integrationruntimes/type",
            "equals": "Managed"
          },
          {
            "field": "Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.computeProperties.vnetProperties.vnetId",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0088bc63-6dee-4a9c-9d29-91cfdc848952"
}
BuiltIn Data Factory False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "SQL Server should use a virtual network service endpoint",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any SQL Server not configured to use a virtual network service endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/virtualNetworkRules",
          "existenceCondition": {
            "field": "Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId",
            "exists": "true"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ae5d2f14-d830-42b6-9899-df6cfe9c71a3"
}
BuiltIn Network False False n/a n/a AuditIfNotExists false 0 n/a true 2 [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) n/a
{
  "properties": {
    "displayName": "SQL servers on machines should have vulnerability findings resolved",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.HybridCompute/machines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "f97aa83c-9b63-4f9a-99f6-b22c4398f936",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6ba6d016-e7c3-4842-b8f2-4992ebc0d72d"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "SQL servers should use customer-managed keys to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.",
    "metadata": {
      "version": "2.0.1",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "field": "kind",
            "notContains": "analytics"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/encryptionProtector",
          "name": "current",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Sql/servers/encryptionProtector/serverKeyType",
                "equals": "AzureKeyVault"
              },
              {
                "field": "Microsoft.Sql/servers/encryptionProtector/uri",
                "notEquals": ""
              },
              {
                "field": "Microsoft.Sql/servers/encryptionProtector/uri",
                "exists": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0d134df8-db83-46fb-ad72-fe0c9428c8dd"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 12 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "SQL servers with auditing to storage account destination should be configured with 90 days retention or higher",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.",
    "metadata": {
      "version": "3.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "field": "kind",
            "notContains": "analytics"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/auditingSettings",
          "name": "default",
          "existenceCondition": {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Sql/servers/auditingSettings/isAzureMonitorTargetEnabled",
                    "equals": true
                  },
                  {
                    "field": "Microsoft.Sql/servers/auditingSettings/storageEndpoint",
                    "equals": ""
                  }
                ]
              },
              {
                "field": "Microsoft.Sql/servers/auditingSettings/retentionDays",
                "equals": 0
              },
              {
                "field": "Microsoft.Sql/servers/auditingSettings/retentionDays",
                "greaterOrEquals": 90
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "89099bee-89e0-4b26-a5f4-165451757743"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 9 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "SSH access from the Internet should be blocked",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits any network security rule that allows SSH access from Internet",
    "metadata": {
      "version": "2.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
          },
          {
            "allOf": [
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
                "equals": "Allow"
              },
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
                "equals": "Inbound"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                    "equals": "*"
                  },
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                    "equals": "22"
                  },
                  {
                    "value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),22),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),22)), 'false')]",
                    "equals": "true"
                  },
                  {
                    "count": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                      "where": {
                        "value": "[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),22),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),22)) , 'false')]",
                        "equals": "true"
                      }
                    },
                    "greater": 0
                  },
                  {
                    "not": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                      "notEquals": "*"
                    }
                  },
                  {
                    "not": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                      "notEquals": "22"
                    }
                  }
                ]
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                    "equals": "*"
                  },
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                    "equals": "Internet"
                  },
                  {
                    "not": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
                      "notEquals": "*"
                    }
                  },
                  {
                    "not": {
                      "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
                      "notEquals": "Internet"
                    }
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2c89a2e5-7285-40fe-afe0-ae8654b92fab"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a true 4 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b) n/a
{
  "properties": {
    "displayName": "Storage account containing the container with activity logs must be encrypted with BYOK",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. ",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Insights/logProfiles"
          },
          {
            "field": "Microsoft.Insights/logProfiles/storageAccountId",
            "exists": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Storage/storageAccounts",
          "existenceScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
                "value": "[contains(field('Microsoft.Insights/logProfiles/storageAccountId'), subscription().Id)]",
                "equals": "true"
              },
              {
                "field": "name",
                "equals": "[last(split(field('Microsoft.Insights/logProfiles/storageAccountId'),'/'))]"
              },
              {
                "field": "Microsoft.Storage/storageAccounts/encryption.keySource",
                "equals": "Microsoft.Keyvault"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "fbb99e8e-e444-4da0-9ff1-75c92f5a85b2"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a true 2 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c) n/a
{
  "properties": {
    "displayName": "Storage account encryption scopes should use customer-managed keys to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about storage account encryption scopes at https://aka.ms/encryption-scopes-overview.",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the audit policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts/encryptionScopes"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/encryptionScopes/source",
            "notEquals": "Microsoft.Keyvault"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b5ec538c-daa0-4006-8596-35468b9148e8"
}
BuiltIn Storage False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Storage account keys should not be expired",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired.",
    "metadata": {
      "version": "3.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Audit allows a non-compliant resource to be created, but flags it as non-compliant. Deny blocks the resource creation and update. Disable turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "anyOf": [
              {
                "value": "[utcNow()]",
                "greater": "[if(and(not(empty(coalesce(field('Microsoft.Storage/storageAccounts/keyCreationTime.key1'), ''))), not(empty(string(coalesce(field('Microsoft.Storage/storageAccounts/keyPolicy.keyExpirationPeriodInDays'), ''))))), addDays(field('Microsoft.Storage/storageAccounts/keyCreationTime.key1'), field('Microsoft.Storage/storageAccounts/keyPolicy.keyExpirationPeriodInDays')), utcNow())]"
              },
              {
                "value": "[utcNow()]",
                "greater": "[if(and(not(empty(coalesce(field('Microsoft.Storage/storageAccounts/keyCreationTime.key2'), ''))), not(empty(string(coalesce(field('Microsoft.Storage/storageAccounts/keyPolicy.keyExpirationPeriodInDays'), ''))))), addDays(field('Microsoft.Storage/storageAccounts/keyCreationTime.key2'), field('Microsoft.Storage/storageAccounts/keyPolicy.keyExpirationPeriodInDays')), utcNow())]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "044985bb-afe1-42cd-8a36-9d5d42424537"
}
BuiltIn Storage False False n/a n/a Audit false 0 n/a true 1 New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a) n/a
{
  "properties": {
    "displayName": "Storage accounts should allow access from trusted Microsoft services",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account.",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/networkAcls.bypass",
            "exists": "true"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/networkAcls.bypass",
            "notContains": "AzureServices"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c9d007d0-c057-4772-b18c-01e546713bcd"
}
BuiltIn Storage False False n/a n/a Audit false 0 n/a true 3 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "Storage accounts should be limited by allowed SKUs",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Restrict the set of storage account SKUs that your organization can deploy.",
    "metadata": {
      "version": "1.1.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the audit policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      },
      "listOfAllowedSKUs": {
        "type": "Array",
        "metadata": {
          "description": "The list of SKUs that can be specified for storage accounts.",
          "displayName": "Allowed SKUs",
          "strongType": "StorageSKUs"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "not": {
              "field": "Microsoft.Storage/storageAccounts/sku.name",
              "in": "[parameters('listOfAllowedSKUs')]"
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7433c107-6db4-4ad1-b57a-a76dce0154a1"
}
BuiltIn Storage False False n/a n/a Deny false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Storage accounts should be migrated to new Azure Resource Manager resources",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "in": [
              "Microsoft.ClassicStorage/storageAccounts",
              "Microsoft.Storage/StorageAccounts"
            ]
          },
          {
            "value": "[field('type')]",
            "equals": "Microsoft.ClassicStorage/storageAccounts"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "37e0d2fe-28a5-43d6-a273-67d37d1f5606"
}
BuiltIn Storage False False n/a n/a Audit false 0 n/a true 11 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Storage accounts should have infrastructure encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice.",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the audit policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/encryption.requireInfrastructureEncryption",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4733ea7b-a883-42fe-8cac-97454c2a9e4a"
}
BuiltIn Storage False False n/a n/a Audit false 0 n/a true 5 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Storage accounts should prevent shared key access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft.",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/allowSharedKeyAccess",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54"
}
BuiltIn Storage False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Storage accounts should restrict network access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges",
    "metadata": {
      "version": "1.1.1",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
            "notEquals": "Deny"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "34c877ad-507e-4c82-993e-3452a6e0ad3c"
}
BuiltIn Storage False False n/a n/a Audit false 0 n/a true 22 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Storage accounts should restrict network access using virtual network rules",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.",
    "metadata": {
      "version": "1.0.1",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the audit policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
                "notEquals": "Deny"
              },
              {
                "count": {
                  "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*]"
                },
                "greaterOrEquals": 1
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2a1a9cdf-e04d-429a-8416-3bfb72a1b26f"
}
BuiltIn Storage False False n/a n/a Audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Storage Accounts should use a virtual network service endpoint",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any Storage Account not configured to use a virtual network service endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
                "notEquals": "Deny"
              },
              {
                "field": "Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*].id",
                "exists": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "60d21c4f-21a3-4d94-85f4-b924e6aeeda4"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a true 2 [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) n/a
{
  "properties": {
    "displayName": "Storage accounts should use customer-managed key for encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.",
    "metadata": {
      "version": "1.0.2",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "not": {
              "field": "Microsoft.Storage/storageAccounts/encryption.keySource",
              "equals": "Microsoft.Keyvault"
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6fac406b-40ca-413b-bf8e-0bf964659c25"
}
BuiltIn Storage False False n/a n/a Audit false 0 n/a true 9 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Storage accounts should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview",
    "metadata": {
      "version": "2.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Storage/storageAccounts/privateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Storage/storageAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6edd7eda-6dd8-40f7-810d-67160c639cd9"
}
BuiltIn Storage False False n/a n/a AuditIfNotExists false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Subnets should be associated with a Network Security Group",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/virtualNetworks/subnets"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "eade5b56-eefd-444f-95c8-23f29e5d93cb",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e71308d3-144b-4262-b144-efdc3cc90517"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 11 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Subnets should have a Network Security Group ",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies the creation of a subsnet with out an Network Security Group. NSG help to protect traffic across subnet-level.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:38.4698877Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/virtualNetworks/subnets"
          },
          {
            "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny-Subnet-Without-Nsg"
}
Custom Network False False Mg ESJH (ESJH) Deny true 1 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-subnet-without-nsg (Deny-Subnet-Without-Nsg) false 0 n/a n/a
{
  "properties": {
    "displayName": "Subscriptions should have a contact email address for security issues",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.",
    "metadata": {
      "version": "1.0.1",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/securityContacts",
          "existenceCondition": {
            "field": "Microsoft.Security/securityContacts/email",
            "notEquals": ""
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 12 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Protect your Synapse workspace by only allowing connections to resources in approved Azure Active Directory (Azure AD) tenants. The approved Azure AD tenants can be defined during policy assignment.",
    "metadata": {
      "version": "1.0.0",
      "category": "Synapse"
    },
    "parameters": {
      "allowedTenantIds": {
        "type": "Array",
        "metadata": {
          "displayName": "List of Allowed Tenant Ids for private endpoint creation",
          "description": "This parameter defines the list of Allowed Tenant Ids that are allowed to create managed private endpoints in the workspaces"
        },
        "defaultValue": []
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Synapse/workspaces"
          },
          {
            "count": {
              "field": "Microsoft.Synapse/workspaces/managedVirtualNetworkSettings.allowedAadTenantIdsForLinking[*]",
              "where": {
                "field": "Microsoft.Synapse/workspaces/managedVirtualNetworkSettings.allowedAadTenantIdsForLinking[*]",
                "notIn": "[parameters('allowedTenantIds')]"
              }
            },
            "greater": 0
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3a003702-13d2-4679-941b-937e58c443f0"
}
BuiltIn Synapse False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Synapse workspace auditing settings should have action groups configured to capture critical activities",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To ensure your audit logs are as thorough as possible, the AuditActionsAndGroups property should include all the relevant groups. We recommend adding at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, and BATCH_COMPLETED_GROUP. This is sometimes required for compliance with regulatory standards.",
    "metadata": {
      "version": "1.0.0",
      "category": "Synapse"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Synapse/workspaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Synapse/workspaces/auditingSettings",
          "name": "default",
          "existenceCondition": {
            "allOf": [
              {
                "not": {
                  "field": "Microsoft.Synapse/workspaces/auditingSettings/auditActionsAndGroups[*]",
                  "notEquals": "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Synapse/workspaces/auditingSettings/auditActionsAndGroups[*]",
                  "notEquals": "FAILED_DATABASE_AUTHENTICATION_GROUP"
                }
              },
              {
                "not": {
                  "field": "Microsoft.Synapse/workspaces/auditingSettings/auditActionsAndGroups[*]",
                  "notEquals": "BATCH_COMPLETED_GROUP"
                }
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2b18f286-371e-4b80-9887-04759970c0d3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2b18f286-371e-4b80-9887-04759970c0d3"
}
BuiltIn Synapse False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Synapse workspaces with SQL auditing to storage account destination should be configured with 90 days retention or higher",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "For incident investigation purposes, we recommend setting the data retention for your Synapse workspace' SQL auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.",
    "metadata": {
      "version": "2.0.0",
      "category": "Synapse"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Synapse/workspaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Synapse/workspaces/auditingSettings",
          "name": "default",
          "existenceCondition": {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Synapse/workspaces/auditingSettings/isAzureMonitorTargetEnabled",
                    "equals": true
                  },
                  {
                    "field": "Microsoft.Synapse/workspaces/auditingSettings/storageEndpoint",
                    "equals": ""
                  }
                ]
              },
              {
                "field": "Microsoft.Synapse/workspaces/auditingSettings/retentionDays",
                "equals": 0
              },
              {
                "field": "Microsoft.Synapse/workspaces/auditingSettings/retentionDays",
                "greaterOrEquals": 90
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/529ea018-6afc-4ed4-95bd-7c9ee47b00bc",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "529ea018-6afc-4ed4-95bd-7c9ee47b00bc"
}
BuiltIn Synapse False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "System updates on virtual machine scale sets should be installed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachineScaleSets"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "bd20bd91-aaf1-7f14-b6e4-866de2f43146",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 17 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "System updates should be installed on your machines",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Missing security system updates on your servers will be monitored by Azure Security Center as recommendations",
    "metadata": {
      "version": "4.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "4ab6e3c5-74dd-8b35-9ab9-f61b30875b27",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "86b3d65f-7626-441e-b690-81a8b71cff60"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 22 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards.",
    "metadata": {
      "version": "1.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerService/managedClusters"
          },
          {
            "count": {
              "field": "Microsoft.ContainerService/managedClusters/agentPoolProfiles[*]",
              "where": {
                "anyOf": [
                  {
                    "field": "Microsoft.ContainerService/managedClusters/agentPoolProfiles[*].enableEncryptionAtHost",
                    "exists": "False"
                  },
                  {
                    "field": "Microsoft.ContainerService/managedClusters/agentPoolProfiles[*].enableEncryptionAtHost",
                    "equals": ""
                  },
                  {
                    "field": "Microsoft.ContainerService/managedClusters/agentPoolProfiles[*].enableEncryptionAtHost",
                    "equals": "false"
                  }
                ]
              }
            },
            "greater": 0
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "41425d9f-d1a5-499a-9932-f8ed8453932c"
}
BuiltIn Kubernetes False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "The Log Analytics agent should be installed on Virtual Machine Scale Sets",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachineScaleSets"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher",
                "equals": "Microsoft.EnterpriseCloud.Monitoring"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type",
                "in": [
                  "MicrosoftMonitoringAgent",
                  "OmsAgentForLinux"
                ]
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState",
                "equals": "Succeeded"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/settings.workspaceId",
                "exists": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "efbde977-ba53-4479-b8e9-10b957924fbf"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a true 5 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "The Log Analytics agent should be installed on virtual machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.EnterpriseCloud.Monitoring"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "in": [
                  "MicrosoftMonitoringAgent",
                  "OmsAgentForLinux"
                ]
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/settings.workspaceId",
                "exists": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a70ca396-0a34-413a-88e1-b956c1e683be"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a true 5 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "There should be more than one owner assigned to your subscription",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "It is recommended to designate more than one subscription owner in order to have administrator access redundancy.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "2c79b4af-f830-b61e-92b9-63dfa30f16e4",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "09024ccc-0c5f-475e-9457-b7c0d9ed487b"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 18 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Transparent Data Encryption on SQL databases should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements",
    "metadata": {
      "version": "2.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers/databases"
          },
          {
            "field": "name",
            "notEquals": "master"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
          "name": "current",
          "existenceCondition": {
            "anyOf": [
              {
                "field": "Microsoft.Sql/transparentDataEncryption.status",
                "equals": "enabled"
              },
              {
                "field": "Microsoft.Sql/servers/databases/transparentDataEncryption/state",
                "equals": "enabled"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "17k78e20-9358-41c9-923c-fb736d382a12"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 24 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Unattached disks should be encrypted",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any unattached disk without encryption enabled.",
    "metadata": {
      "version": "1.0.0",
      "category": "Compute"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/disks"
          },
          {
            "field": "Microsoft.Compute/disks/diskState",
            "equals": "Unattached"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/disks/encryptionSettingsCollection.enabled",
                "exists": "false"
              },
              {
                "field": "Microsoft.Compute/disks/encryptionSettingsCollection.enabled",
                "equals": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2c89a2e5-7285-40fe-afe0-ae8654b92fb2"
}
BuiltIn Compute False False n/a n/a Audit false 0 n/a true 5 CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "Virtual machines and virtual machine scale sets should have encryption at host enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe.",
    "metadata": {
      "category": "Compute",
      "version": "1.0.0"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost",
                "notEquals": "true"
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachineScaleSets"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.encryptionAtHost",
                "notEquals": "true"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "fc4d8e41-e223-45ea-9bf5-eada37891d87"
}
BuiltIn Compute False False n/a n/a Audit false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Virtual machines should be connected to a specified workspace",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment.",
    "metadata": {
      "version": "1.1.0",
      "category": "Monitoring"
    },
    "parameters": {
      "logAnalyticsWorkspaceId": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics Workspace Id that virtual machines should be configured for",
          "description": "This is the Id (GUID) of the Log Analytics Workspace that the virtual machines should be configured for."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.EnterpriseCloud.Monitoring"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/settings.workspaceId",
                "equals": "[parameters('logAnalyticsWorkspaceId')]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f47b5582-33ec-4c5c-87c0-b010a6b2e917"
}
BuiltIn Monitoring False False n/a n/a AuditIfNotExists false 0 n/a true 6 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de) n/a
{
  "properties": {
    "displayName": "Virtual machines should be connected to an approved virtual network",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any virtual machine connected to a virtual network that is not approved.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "virtualNetworkId": {
        "type": "String",
        "metadata": {
          "displayName": "Virtual network Id",
          "description": "Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkInterfaces"
          },
          {
            "not": {
              "field": "Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id",
              "like": "[concat(parameters('virtualNetworkId'),'/*')]"
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d416745a-506c-48b6-8ab1-83cb814bcaa3"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a true 2 [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab) n/a
{
  "properties": {
    "displayName": "Virtual machines should be migrated to new Azure Resource Manager resources",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management",
    "metadata": {
      "version": "1.0.0",
      "category": "Compute"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "in": [
              "Microsoft.ClassicCompute/virtualMachines",
              "Microsoft.Compute/virtualMachines"
            ]
          },
          {
            "value": "[field('type')]",
            "equals": "Microsoft.ClassicCompute/virtualMachines"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1d84d5fb-01f6-4d12-ba4f-4a26081d403d"
}
BuiltIn Compute False False n/a n/a Audit false 0 n/a true 12 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.",
    "metadata": {
      "version": "2.0.1",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.ClassicCompute/virtualMachines",
          "Microsoft.Compute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "d57a4221-a804-52ca-3dea-768284f06bb7",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0961003e-5a0a-4549-abde-af6a37f2724d"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 21 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.1",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines/extensions"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
            "equals": "Microsoft.GuestConfiguration"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines",
          "name": "[first(split(field('fullName'), '/'))]",
          "existenceCondition": {
            "field": "identity.type",
            "contains": "SystemAssigned"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d26f7642-7545-4e18-9b75-8c9bbdee3a9a"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "subnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Subnet ID",
          "strongType": "Microsoft.Network/virtualNetworks/subnets",
          "description": "The resource ID of the virtual network subnet that should have a rule enabled. Example: /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/Default/providers/Microsoft.Network/virtualNetworks/testvnet/subnets/testsubnet"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers"
      },
      "then": {
        "effect": "AuditIfNotExists",
        "details": {
          "type": "Microsoft.Sql/servers/virtualNetworkRules",
          "existenceCondition": {
            "field": "Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId",
            "equals": "[parameters('subnetId')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/77e8b146-0078-4fb2-b002-e112381199f0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "77e8b146-0078-4fb2-b002-e112381199f0"
}
BuiltIn SQL False False n/a n/a n/a false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Virtual network injection should be enabled for Azure Data Explorer",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Secure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints.",
    "metadata": {
      "version": "1.0.0",
      "category": "Azure Data Explorer"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Kusto/Clusters"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Kusto/clusters/virtualNetworkConfiguration",
                "exists": false
              },
              {
                "field": "Microsoft.Kusto/clusters/virtualNetworkConfiguration.subnetId",
                "exists": false
              },
              {
                "field": "Microsoft.Kusto/clusters/virtualNetworkConfiguration.enginePublicIpId",
                "exists": false
              },
              {
                "field": "Microsoft.Kusto/clusters/virtualNetworkConfiguration.dataManagementPublicIpId",
                "exists": false
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/9ad2fd1f-b25f-47a2-aa01-1a5a779e6413",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "9ad2fd1f-b25f-47a2-aa01-1a5a779e6413"
}
BuiltIn Azure Data Explorer False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Virtual networks should be protected by Azure DDoS Protection Standard",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Modify"
      },
      "ddosPlan": {
        "type": "String",
        "metadata": {
          "displayName": "DDoS Protection Plan",
          "description": "DDoS Protection Plan resource to be associated to the virtual networks",
          "strongType": "Microsoft.Network/ddosProtectionPlans"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/virtualNetworks"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Network/virtualNetworks/enableDdosProtection",
                "notEquals": true
              },
              {
                "field": "Microsoft.Network/virtualNetworks/ddosProtectionPlan",
                "equals": ""
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "conflictEffect": "audit",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.Network/virtualNetworks/enableDdosProtection",
              "value": true
            },
            {
              "operation": "addOrReplace",
              "field": "Microsoft.Network/virtualNetworks/ddosProtectionPlan.id",
              "value": "[parameters('ddosPlan')]"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d"
}
BuiltIn Network False False n/a n/a Modify false 0 n/a false 0 n/a 'Network Contributor' (4d97b98b-1d4f-4787-a291-c67834d212e7)
{
  "properties": {
    "displayName": "Virtual networks should use specified virtual network gateway",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy audits any virtual network if the default route does not point to the specified virtual network gateway.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "virtualNetworkGatewayId": {
        "type": "String",
        "metadata": {
          "displayName": "Virtual network gateway Id",
          "description": "Resource Id of the virtual network gateway. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/virtualNetworks"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/virtualNetworks/subnets",
          "name": "GatewaySubnet",
          "existenceCondition": {
            "not": {
              "field": "Microsoft.Network/virtualNetworks/subnets/ipConfigurations[*].id",
              "notContains": "[concat(parameters('virtualNetworkGatewayId'), '/')]"
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f1776c76-f58c-4245-a8d0-2b207198dc8b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f1776c76-f58c-4245-a8d0-2b207198dc8b"
}
BuiltIn Network False False n/a n/a AuditIfNotExists false 0 n/a true 1 [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92) n/a
{
  "properties": {
    "displayName": "VM Image Builder templates should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet.",
    "metadata": {
      "version": "1.1.0",
      "category": "VM Image Builder"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.VirtualMachineImages/imageTemplates"
          },
          {
            "field": "Microsoft.VirtualMachineImages/imageTemplates/vmProfile.vnetConfig",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2154edb9-244f-4741-9970-660785bccdaa"
}
BuiltIn VM Image Builder False False n/a n/a Audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at https://docs.microsoft.com/azure/vpn-gateway/openvpn-azure-ad-tenant",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/virtualNetworkGateways"
          },
          {
            "field": "Microsoft.Network/virtualNetworkGateways/vpnClientConfiguration.vpnClientAddressPool.addressPrefixes",
            "exists": "true"
          },
          {
            "count": {
              "field": "Microsoft.Network/virtualNetworkGateways/vpnClientConfiguration.vpnAuthenticationTypes[*]",
              "where": {
                "field": "Microsoft.Network/virtualNetworkGateways/vpnClientConfiguration.vpnAuthenticationTypes[*]",
                "notcontains": "AAD"
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "21a6bc25-125e-4d13-b82d-2e19b7208ab7"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Vulnerabilities in Azure Container Registry images should be remediated",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.",
    "metadata": {
      "version": "2.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerRegistry/registries"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "dbd0cb49-b563-45e7-9724-889e799fa648",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5f0f936f-2f01-4bf5-b6be-d423792fa562"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Vulnerabilities in container security configurations should be remediated",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "0677209d-e675-2c6f-e91a-54cef2878663",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e8cbc669-f12d-49eb-93e7-9273119e9933"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 13 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Vulnerabilities in security configuration on your machines should be remediated",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Compute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "181ac480-f7c4-544b-9865-11b8ffe87f47",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 20 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachineScaleSets"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "8941d121-f740-35f6-952c-6561d2b38d36",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4"
}
BuiltIn Security Center False False n/a n/a AuditIfNotExists false 0 n/a true 18 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers.",
    "metadata": {
      "version": "2.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/vulnerabilityAssessments",
          "name": "default",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Sql/servers/vulnerabilityAssessments/default.recurringScans.emails[*]",
                "notEquals": ""
              },
              {
                "count": {
                  "field": "Microsoft.Sql/servers/vulnerabilityAssessments/default.recurringScans.emails[*]"
                },
                "notEquals": 0
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 4 [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a) n/a
{
  "properties": {
    "displayName": "Vulnerability assessment should be enabled on SQL Managed Instance",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.",
    "metadata": {
      "version": "1.0.1",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/managedInstances"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/managedInstances/vulnerabilityAssessments",
          "name": "default",
          "existenceCondition": {
            "field": "Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled",
            "equals": "True"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1b7aa243-30e4-4c9e-bca8-d0d3022b634a"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 14 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Vulnerability assessment should be enabled on your SQL servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.",
    "metadata": {
      "version": "2.0.0",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "field": "kind",
            "notContains": "analytics"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/vulnerabilityAssessments",
          "name": "default",
          "existenceCondition": {
            "field": "Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled",
            "equals": "True"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9"
}
BuiltIn SQL False False n/a n/a AuditIfNotExists false 0 n/a true 14 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Vulnerability assessment should be enabled on your Synapse workspaces",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces.",
    "metadata": {
      "version": "1.0.0",
      "category": "Synapse"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Synapse/workspaces"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Synapse/workspaces/vulnerabilityAssessments",
          "name": "default",
          "existenceCondition": {
            "field": "Microsoft.Synapse/workspaces/vulnerabilityAssessments/recurringScans.isEnabled",
            "equals": "True"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0049a6b3-a662-4f3e-8635-39cf44ace45a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0049a6b3-a662-4f3e-8635-39cf44ace45a"
}
BuiltIn Synapse False False n/a n/a AuditIfNotExists false 0 n/a true 4 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Web Application Firewall (WAF) should be enabled for Application Gateway",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.",
    "metadata": {
      "version": "1.0.1",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/applicationGateways"
          },
          {
            "field": "Microsoft.Network/applicationGateways/webApplicationFirewallConfiguration",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "564feb30-bf6a-4854-b4bb-0d2d2d1e6c66"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a true 8 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Web Application Firewall (WAF) should be enabled for Azure Front Door Service service",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.",
    "metadata": {
      "version": "1.0.1",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/frontdoors"
          },
          {
            "field": "Microsoft.Network/frontdoors/frontendEndpoints[*].webApplicationFirewallPolicyLink.id",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "055aa869-bc98-4af8-bafc-23f1ab6ffe2c"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a true 7 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Web Application Firewall (WAF) should use the specified mode for Application Gateway",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "modeRequirement": {
        "type": "String",
        "metadata": {
          "displayName": "Mode Requirement",
          "description": "Mode required for all WAF policies"
        },
        "allowedValues": [
          "Prevention",
          "Detection"
        ],
        "defaultValue": "Detection"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies"
          },
          {
            "field": "Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/policySettings.mode",
            "notEquals": "[parameters('modeRequirement')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "12430be1-6cc8-4527-a9a8-e3d38f250096"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a true 2 [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a) n/a
{
  "properties": {
    "displayName": "Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "modeRequirement": {
        "type": "String",
        "metadata": {
          "displayName": "Mode Requirement",
          "description": "Mode required for all WAF policies"
        },
        "allowedValues": [
          "Prevention",
          "Detection"
        ],
        "defaultValue": "Detection"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies"
          },
          {
            "field": "Microsoft.Network/frontdoorWebApplicationFirewallPolicies/policySettings.mode",
            "notEquals": "[parameters('modeRequirement')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "425bea59-a659-4cbb-8d31-34499bd030b8"
}
BuiltIn Network False False n/a n/a Audit false 0 n/a true 2 [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a) n/a
{
  "properties": {
    "displayName": "Web Application should only be accessible over HTTPS",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          },
          {
            "field": "Microsoft.Web/sites/httpsOnly",
            "equals": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a4af4a39-4135-47fb-b175-47fbdf85311d"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a true 21 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), CIS Microsoft Azure Foundations Benchmark v1.1.0 (/providers/microsoft.authorization/policysetdefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), PCI v3.2.1:2018 (/providers/microsoft.authorization/policysetdefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), CIS Microsoft Azure Foundations Benchmark v1.3.0 (/providers/microsoft.authorization/policysetdefinitions/612b5213-9160-4969-8578-1518bd2a000c), ISO 27001:2013 (/providers/microsoft.authorization/policysetdefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Web apps should use an Azure file share for its content directory",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "The content directory of a web app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "app*"
          },
          {
            "field": "Microsoft.Web/sites/storageAccountRequired",
            "equals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/dcbc65aa-59f3-4239-8978-3bb869d82604",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "dcbc65aa-59f3-4239-8978-3bb869d82604"
}
BuiltIn App Service False False n/a n/a Audit false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Windows Defender Exploit Guard should be enabled on your machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.1.1",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "WindowsDefenderExploitGuard",
        "version": "1.*",
        "configurationParameter": {
          "NotAvailableMachineState": "[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "NotAvailableMachineState": {
        "type": "String",
        "metadata": {
          "displayName": "Status if Windows Defender is not available on machine",
          "description": "Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value to 'Non-Compliant' shows machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) as non-compliant. Setting this value to 'Compliant' shows these machines as compliant."
        },
        "allowedValues": [
          "Compliant",
          "Non-Compliant"
        ],
        "defaultValue": "Compliant"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "WindowsDefenderExploitGuard",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState', '=', parameters('NotAvailableMachineState')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bed48b13-6647-468e-aa2f-1af1d3f4dd40"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 6 [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Administrative Templates - Control Panel'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_AdministrativeTemplatesControlPanel",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_AdministrativeTemplatesControlPanel",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3aa2661b-02d7-4ba6-99bc-dc36b10489fd",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3aa2661b-02d7-4ba6-99bc-dc36b10489fd"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 1 [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_AdminstrativeTemplatesMSSLegacy",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_AdminstrativeTemplatesMSSLegacy",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e0a7e899-2ce2-4253-8a13-d808fdeb75af",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e0a7e899-2ce2-4253-8a13-d808fdeb75af"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 1 [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Administrative Templates - Network'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_AdministrativeTemplatesNetwork",
        "version": "1.*",
        "configurationParameter": {
          "EnableInsecureGuestLogons": "Enable insecure guest logons;ExpectedValue",
          "AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain": "Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue",
          "TurnOffMulticastNameResolution": "Turn off multicast name resolution;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "EnableInsecureGuestLogons": {
        "type": "String",
        "metadata": {
          "displayName": "Enable insecure guest logons",
          "description": "Specifies whether the SMB client will allow insecure guest logons to an SMB server."
        },
        "defaultValue": "0"
      },
      "AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain": {
        "type": "String",
        "metadata": {
          "displayName": "Allow simultaneous connections to the Internet or a Windows Domain",
          "description": "Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous connections, and a value of 1 blocks them."
        },
        "defaultValue": "1"
      },
      "TurnOffMulticastNameResolution": {
        "type": "String",
        "metadata": {
          "displayName": "Turn off multicast name resolution",
          "description": "Specifies whether LLMNR, a secondary name resolution protocol that transmits using multicast over a local subnet link on a single subnet, is enabled."
        },
        "defaultValue": "1"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_AdministrativeTemplatesNetwork",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Enable insecure guest logons;ExpectedValue', '=', parameters('EnableInsecureGuestLogons'), ',', 'Minimize the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue', '=', parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'), ',', 'Turn off multicast name resolution;ExpectedValue', '=', parameters('TurnOffMulticastNameResolution')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/67e010c1-640d-438e-a3a5-feaccb533a98",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "67e010c1-640d-438e-a3a5-feaccb533a98"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 3 [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Administrative Templates - System'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_AdministrativeTemplatesSystem",
        "version": "1.*",
        "configurationParameter": {
          "AlwaysUseClassicLogon": "Always use classic logon;ExpectedValue",
          "BootStartDriverInitializationPolicy": "Boot-Start Driver Initialization Policy;ExpectedValue",
          "EnableWindowsNTPClient": "Enable Windows NTP Client;ExpectedValue",
          "TurnOnConveniencePINSignin": "Turn on convenience PIN sign-in;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "AlwaysUseClassicLogon": {
        "type": "String",
        "metadata": {
          "displayName": "Always use classic logon",
          "description": "Specifies whether to force the user to log on to the computer using the classic logon screen. This setting only works when the computer is not on a domain."
        },
        "defaultValue": "0"
      },
      "BootStartDriverInitializationPolicy": {
        "type": "String",
        "metadata": {
          "displayName": "Boot-Start Driver Initialization Policy",
          "description": "Specifies which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver."
        },
        "defaultValue": "3"
      },
      "EnableWindowsNTPClient": {
        "type": "String",
        "metadata": {
          "displayName": "Enable Windows NTP Client",
          "description": "Specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers."
        },
        "defaultValue": "1"
      },
      "TurnOnConveniencePINSignin": {
        "type": "String",
        "metadata": {
          "displayName": "Turn on convenience PIN sign-in",
          "description": "Specifies whether a domain user can sign in using a convenience PIN."
        },
        "defaultValue": "0"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_AdministrativeTemplatesSystem",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Always use classic logon;ExpectedValue', '=', parameters('AlwaysUseClassicLogon'), ',', 'Boot-Start Driver Initialization Policy;ExpectedValue', '=', parameters('BootStartDriverInitializationPolicy'), ',', 'Enable Windows NTP Client;ExpectedValue', '=', parameters('EnableWindowsNTPClient'), ',', 'Turn on convenience PIN sign-in;ExpectedValue', '=', parameters('TurnOnConveniencePINSignin')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/968410dc-5ca0-4518-8a5b-7b55f0530ea9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "968410dc-5ca0-4518-8a5b-7b55f0530ea9"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 1 [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Options - Accounts'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecurityOptionsAccounts",
        "version": "1.*",
        "configurationParameter": {
          "AccountsGuestAccountStatus": "Accounts: Guest account status;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "AccountsGuestAccountStatus": {
        "type": "String",
        "metadata": {
          "displayName": "Accounts: Guest account status",
          "description": "Specifies whether the local Guest account is disabled."
        },
        "defaultValue": "0"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsAccounts",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Accounts: Guest account status;ExpectedValue', '=', parameters('AccountsGuestAccountStatus')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ee984370-154a-4ee8-9726-19d900e56fc0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ee984370-154a-4ee8-9726-19d900e56fc0"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 3 [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Options - Audit'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecurityOptionsAudit",
        "version": "1.*",
        "configurationParameter": {
          "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": "Audit: Shut down system immediately if unable to log security audits;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": {
        "type": "String",
        "metadata": {
          "displayName": "Audit: Shut down system immediately if unable to log security audits",
          "description": "Audits if the system will shut down when unable to log Security events."
        },
        "defaultValue": "0"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsAudit",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Audit: Shut down system immediately if unable to log security audits;ExpectedValue', '=', parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/33936777-f2ac-45aa-82ec-07958ec9ade4",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "33936777-f2ac-45aa-82ec-07958ec9ade4"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 2 HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Options - Devices'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecurityOptionsDevices",
        "version": "1.*",
        "configurationParameter": {
          "DevicesAllowedToFormatAndEjectRemovableMedia": "Devices: Allowed to format and eject removable media;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "DevicesAllowedToFormatAndEjectRemovableMedia": {
        "type": "String",
        "metadata": {
          "displayName": "Devices: Allowed to format and eject removable media",
          "description": "Specifies who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges."
        },
        "defaultValue": "0"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsDevices",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Devices: Allowed to format and eject removable media;ExpectedValue', '=', parameters('DevicesAllowedToFormatAndEjectRemovableMedia')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8794ff4f-1a35-4e18-938f-0b22055067cd",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8794ff4f-1a35-4e18-938f-0b22055067cd"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 1 [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Options - Interactive Logon'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecurityOptionsInteractiveLogon",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsInteractiveLogon",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d472d2c9-d6a3-4500-9f5f-b15f123005aa",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d472d2c9-d6a3-4500-9f5f-b15f123005aa"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 1 [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Options - Microsoft Network Client'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecurityOptionsMicrosoftNetworkClient",
        "version": "1.*",
        "configurationParameter": {
          "MicrosoftNetworkClientDigitallySignCommunicationsAlways": "Microsoft network client: Digitally sign communications (always);ExpectedValue",
          "MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": "Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue",
          "MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": "Microsoft network server: Amount of idle time required before suspending session;ExpectedValue",
          "MicrosoftNetworkServerDigitallySignCommunicationsAlways": "Microsoft network server: Digitally sign communications (always);ExpectedValue",
          "MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire": "Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "MicrosoftNetworkClientDigitallySignCommunicationsAlways": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network client: Digitally sign communications (always)",
          "description": "Specifies whether packet signing is required by the SMB client component."
        },
        "defaultValue": "1"
      },
      "MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network client: Send unencrypted password to third-party SMB servers",
          "description": "Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it."
        },
        "defaultValue": "0"
      },
      "MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Amount of idle time required before suspending session",
          "description": "Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is two integers separated by a comma, denoting an inclusive range."
        },
        "defaultValue": "1,15"
      },
      "MicrosoftNetworkServerDigitallySignCommunicationsAlways": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Digitally sign communications (always)",
          "description": "Specifies whether packet signing is required by the SMB server component."
        },
        "defaultValue": "1"
      },
      "MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Disconnect clients when logon hours expire",
          "description": "Specifies whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable 'Network security: Force logoff when logon hours expire'"
        },
        "defaultValue": "1"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsMicrosoftNetworkClient",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Microsoft network client: Digitally sign communications (always);ExpectedValue', '=', parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways'), ',', 'Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue', '=', parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'), ',', 'Microsoft network server: Amount of idle time required before suspending session;ExpectedValue', '=', parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'), ',', 'Microsoft network server: Digitally sign communications (always);ExpectedValue', '=', parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways'), ',', 'Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue', '=', parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d6c69680-54f0-4349-af10-94dd05f4225e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d6c69680-54f0-4349-af10-94dd05f4225e"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 2 [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Options - Microsoft Network Server'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecurityOptionsMicrosoftNetworkServer",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsMicrosoftNetworkServer",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/caf2d518-f029-4f6b-833b-d7081702f253",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "caf2d518-f029-4f6b-833b-d7081702f253"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 3 [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Options - Network Access'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecurityOptionsNetworkAccess",
        "version": "1.*",
        "configurationParameter": {
          "NetworkAccessRemotelyAccessibleRegistryPaths": "Network access: Remotely accessible registry paths;ExpectedValue",
          "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths": "Network access: Remotely accessible registry paths and sub-paths;ExpectedValue",
          "NetworkAccessSharesThatCanBeAccessedAnonymously": "Network access: Shares that can be accessed anonymously;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "NetworkAccessRemotelyAccessibleRegistryPaths": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Remotely accessible registry paths",
          "description": "Specifies which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"
      },
      "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Remotely accessible registry paths and sub-paths",
          "description": "Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"
      },
      "NetworkAccessSharesThatCanBeAccessedAnonymously": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Shares that can be accessed anonymously",
          "description": "Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server."
        },
        "defaultValue": "0"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsNetworkAccess",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Network access: Remotely accessible registry paths;ExpectedValue', '=', parameters('NetworkAccessRemotelyAccessibleRegistryPaths'), ',', 'Network access: Remotely accessible registry paths and sub-paths;ExpectedValue', '=', parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'), ',', 'Network access: Shares that can be accessed anonymously;ExpectedValue', '=', parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 5 [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Options - Network Security'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecurityOptionsNetworkSecurity",
        "version": "1.*",
        "configurationParameter": {
          "NetworkSecurityConfigureEncryptionTypesAllowedForKerberos": "Network Security: Configure encryption types allowed for Kerberos;ExpectedValue",
          "NetworkSecurityLANManagerAuthenticationLevel": "Network security: LAN Manager authentication level;ExpectedValue",
          "NetworkSecurityLDAPClientSigningRequirements": "Network security: LDAP client signing requirements;ExpectedValue",
          "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients": "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue",
          "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers": "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "NetworkSecurityConfigureEncryptionTypesAllowedForKerberos": {
        "type": "String",
        "metadata": {
          "displayName": "Network Security: Configure encryption types allowed for Kerberos",
          "description": "Specifies the encryption types that Kerberos is allowed to use."
        },
        "defaultValue": "2147483644"
      },
      "NetworkSecurityLANManagerAuthenticationLevel": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: LAN Manager authentication level",
          "description": "Specify which challenge-response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers."
        },
        "defaultValue": "5"
      },
      "NetworkSecurityLDAPClientSigningRequirements": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: LDAP client signing requirements",
          "description": "Specify the level of data signing that is requested on behalf of clients that issue LDAP BIND requests."
        },
        "defaultValue": "1"
      },
      "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",
          "description": "Specifies which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers for more information."
        },
        "defaultValue": "537395200"
      },
      "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",
          "description": "Specifies which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services."
        },
        "defaultValue": "537395200"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsNetworkSecurity",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Network Security: Configure encryption types allowed for Kerberos;ExpectedValue', '=', parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'), ',', 'Network security: LAN Manager authentication level;ExpectedValue', '=', parameters('NetworkSecurityLANManagerAuthenticationLevel'), ',', 'Network security: LDAP client signing requirements;ExpectedValue', '=', parameters('NetworkSecurityLDAPClientSigningRequirements'), ',', 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients;ExpectedValue', '=', parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'), ',', 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers;ExpectedValue', '=', parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1221c620-d201-468c-81e7-2817e6107e84",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1221c620-d201-468c-81e7-2817e6107e84"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 4 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), [Deprecated]: Azure Security Benchmark v1 (/providers/microsoft.authorization/policysetdefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Options - Recovery console'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecurityOptionsRecoveryconsole",
        "version": "1.*",
        "configurationParameter": {
          "RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": "Recovery console: Allow floppy copy and access to all drives and all folders;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": {
        "type": "String",
        "metadata": {
          "displayName": "Recovery console: Allow floppy copy and access to all drives and all folders",
          "description": "Specifies whether to make the Recovery Console SET command available, which allows setting of recovery console environment variables."
        },
        "defaultValue": "0"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsRecoveryconsole",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Recovery console: Allow floppy copy and access to all drives and all folders;ExpectedValue', '=', parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f71be03e-e25b-4d0f-b8bc-9b3e309b66c0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f71be03e-e25b-4d0f-b8bc-9b3e309b66c0"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 3 [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Options - Shutdown'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecurityOptionsShutdown",
        "version": "1.*",
        "configurationParameter": {
          "ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn": "Shutdown: Allow system to be shut down without having to log on;ExpectedValue",
          "ShutdownClearVirtualMemoryPagefile": "Shutdown: Clear virtual memory pagefile;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn": {
        "type": "String",
        "metadata": {
          "displayName": "Shutdown: Allow system to be shut down without having to log on",
          "description": "Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen."
        },
        "defaultValue": "0"
      },
      "ShutdownClearVirtualMemoryPagefile": {
        "type": "String",
        "metadata": {
          "displayName": "Shutdown: Clear virtual memory pagefile",
          "description": "Specifies whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properly. For systems with large amounts of RAM, this could result in substantial time needed to complete the shutdown."
        },
        "defaultValue": "0"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsShutdown",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Shutdown: Allow system to be shut down without having to log on;ExpectedValue', '=', parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'), ',', 'Shutdown: Clear virtual memory pagefile;ExpectedValue', '=', parameters('ShutdownClearVirtualMemoryPagefile')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b4a4d1eb-0263-441b-84cb-a44073d8372d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b4a4d1eb-0263-441b-84cb-a44073d8372d"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 1 [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Options - System objects'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecurityOptionsSystemobjects",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsSystemobjects",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2f262ace-812a-4fd0-b731-b38ba9e9708d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2f262ace-812a-4fd0-b731-b38ba9e9708d"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 1 [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Options - System settings'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecurityOptionsSystemsettings",
        "version": "1.*",
        "configurationParameter": {
          "SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies": "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies": {
        "type": "String",
        "metadata": {
          "displayName": "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies",
          "description": "Specifies whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). For certificate rules to take effect in software restriction policies, you must enable this policy setting."
        },
        "defaultValue": "1"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsSystemsettings",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies;ExpectedValue', '=', parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/12017595-5a75-4bb1-9d97-4c2c939ea3c3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "12017595-5a75-4bb1-9d97-4c2c939ea3c3"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 2 [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Options - User Account Control'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecurityOptionsUserAccountControl",
        "version": "1.*",
        "configurationParameter": {
          "UACAdminApprovalModeForTheBuiltinAdministratorAccount": "User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue",
          "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue",
          "UACDetectApplicationInstallationsAndPromptForElevation": "User Account Control: Detect application installations and prompt for elevation;ExpectedValue",
          "UACRunAllAdministratorsInAdminApprovalMode": "User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "UACAdminApprovalModeForTheBuiltinAdministratorAccount": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Admin Approval Mode for the Built-in Administrator account",
          "description": "Specifies the behavior of Admin Approval Mode for the built-in Administrator account."
        },
        "defaultValue": "1"
      },
      "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode",
          "description": "Specifies the behavior of the elevation prompt for administrators."
        },
        "defaultValue": "2"
      },
      "UACDetectApplicationInstallationsAndPromptForElevation": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Detect application installations and prompt for elevation",
          "description": "Specifies the behavior of application installation detection for the computer."
        },
        "defaultValue": "1"
      },
      "UACRunAllAdministratorsInAdminApprovalMode": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Run all administrators in Admin Approval Mode",
          "description": "Specifies the behavior of all User Account Control (UAC) policy settings for the computer."
        },
        "defaultValue": "1"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsUserAccountControl",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue', '=', parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount'), ',', 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue', '=', parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'), ',', 'User Account Control: Detect application installations and prompt for elevation;ExpectedValue', '=', parameters('UACDetectApplicationInstallationsAndPromptForElevation'), ',', 'User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue', '=', parameters('UACRunAllAdministratorsInAdminApprovalMode')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/492a29ed-d143-4f03-b6a4-705ce081b463",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "492a29ed-d143-4f03-b6a4-705ce081b463"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 3 HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Settings - Account Policies'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecuritySettingsAccountPolicies",
        "version": "1.*",
        "configurationParameter": {
          "EnforcePasswordHistory": "Enforce password history;ExpectedValue",
          "MaximumPasswordAge": "Maximum password age;ExpectedValue",
          "MinimumPasswordAge": "Minimum password age;ExpectedValue",
          "MinimumPasswordLength": "Minimum password length;ExpectedValue",
          "PasswordMustMeetComplexityRequirements": "Password must meet complexity requirements;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "EnforcePasswordHistory": {
        "type": "String",
        "metadata": {
          "displayName": "Enforce password history",
          "description": "Specifies limits on password reuse - how many times a new password must be created for a user account before the password can be repeated."
        },
        "defaultValue": "24"
      },
      "MaximumPasswordAge": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum password age",
          "description": "Specifies the maximum number of days that may elapse before a user account password must be changed. The format of the value is two integers separated by a comma, denoting an inclusive range."
        },
        "defaultValue": "1,70"
      },
      "MinimumPasswordAge": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password age",
          "description": "Specifies the minimum number of days that must elapse before a user account password can be changed."
        },
        "defaultValue": "1"
      },
      "MinimumPasswordLength": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password length",
          "description": "Specifies the minimum number of characters that a user account password may contain."
        },
        "defaultValue": "14"
      },
      "PasswordMustMeetComplexityRequirements": {
        "type": "String",
        "metadata": {
          "displayName": "Password must meet complexity requirements",
          "description": "Specifies whether a user account password must be complex. If required, a complex password must not contain part of  user's account name or full name; be at least 6 characters long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."
        },
        "defaultValue": "1"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecuritySettingsAccountPolicies",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Enforce password history;ExpectedValue', '=', parameters('EnforcePasswordHistory'), ',', 'Maximum password age;ExpectedValue', '=', parameters('MaximumPasswordAge'), ',', 'Minimum password age;ExpectedValue', '=', parameters('MinimumPasswordAge'), ',', 'Minimum password length;ExpectedValue', '=', parameters('MinimumPasswordLength'), ',', 'Password must meet complexity requirements;ExpectedValue', '=', parameters('PasswordMustMeetComplexityRequirements')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f2143251-70de-4e81-87a8-36cee5a2f29d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f2143251-70de-4e81-87a8-36cee5a2f29d"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 3 [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'System Audit Policies - Account Logon'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SystemAuditPoliciesAccountLogon",
        "version": "1.*",
        "configurationParameter": {
          "AuditCredentialValidation": "Audit Credential Validation;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "AuditCredentialValidation": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Credential Validation",
          "description": "Specifies whether audit events are generated when credentials are submitted for a user account logon request.  This setting is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success and Failure"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesAccountLogon",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Audit Credential Validation;ExpectedValue', '=', parameters('AuditCredentialValidation')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/43bb60fe-1d7e-4b82-9e93-496bfc99e7d5",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "43bb60fe-1d7e-4b82-9e93-496bfc99e7d5"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 1 [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'System Audit Policies - Account Management'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SystemAuditPoliciesAccountManagement",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesAccountManagement",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/94d9aca8-3757-46df-aa51-f218c5f11954",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "94d9aca8-3757-46df-aa51-f218c5f11954"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 2 HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SystemAuditPoliciesDetailedTracking",
        "version": "1.*",
        "configurationParameter": {
          "AuditProcessTermination": "Audit Process Termination;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "AuditProcessTermination": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Process Termination",
          "description": "Specifies whether audit events are generated when a process has exited. Recommended for monitoring termination of critical processes."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesDetailedTracking",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Audit Process Termination;ExpectedValue', '=', parameters('AuditProcessTermination')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/58383b73-94a9-4414-b382-4146eb02611b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "58383b73-94a9-4414-b382-4146eb02611b"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 2 HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SystemAuditPoliciesLogonLogoff",
        "version": "1.*",
        "configurationParameter": {
          "AuditGroupMembership": "Audit Group Membership;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "AuditGroupMembership": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Group Membership",
          "description": "Specifies whether audit events are generated when group memberships are enumerated on the client computer."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesLogonLogoff",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Audit Group Membership;ExpectedValue', '=', parameters('AuditGroupMembership')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/19be9779-c776-4dfa-8a15-a2fd5dc843d6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "19be9779-c776-4dfa-8a15-a2fd5dc843d6"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 1 [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'System Audit Policies - Object Access'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SystemAuditPoliciesObjectAccess",
        "version": "1.*",
        "configurationParameter": {
          "AuditDetailedFileShare": "Audit Detailed File Share;ExpectedValue",
          "AuditFileShare": "Audit File Share;ExpectedValue",
          "AuditFileSystem": "Audit File System;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "AuditDetailedFileShare": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Detailed File Share",
          "description": "If this policy setting is enabled, access to all shared files and folders on the system is audited. Auditing for Success can lead to very high volumes of events."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditFileShare": {
        "type": "String",
        "metadata": {
          "displayName": "Audit File Share",
          "description": "Specifies whether to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks. Event volumes can be high on DCs and File Servers."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditFileSystem": {
        "type": "String",
        "metadata": {
          "displayName": "Audit File System",
          "description": "Specifies whether audit events are generated when users attempt to access file system objects. Audit events are generated only for objects that have configured system access control lists (SACLs)."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesObjectAccess",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Audit Detailed File Share;ExpectedValue', '=', parameters('AuditDetailedFileShare'), ',', 'Audit File Share;ExpectedValue', '=', parameters('AuditFileShare'), ',', 'Audit File System;ExpectedValue', '=', parameters('AuditFileSystem')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/35781875-8026-4628-b19b-f6efb4d88a1d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "35781875-8026-4628-b19b-f6efb4d88a1d"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 1 [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'System Audit Policies - Policy Change'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SystemAuditPoliciesPolicyChange",
        "version": "1.*",
        "configurationParameter": {
          "AuditAuthenticationPolicyChange": "Audit Authentication Policy Change;ExpectedValue",
          "AuditAuthorizationPolicyChange": "Audit Authorization Policy Change;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "AuditAuthenticationPolicyChange": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Authentication Policy Change",
          "description": "Specifies whether audit events are generated when changes are made to authentication policy. This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success"
      },
      "AuditAuthorizationPolicyChange": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Authorization Policy Change",
          "description": "Specifies whether audit events are generated for assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesPolicyChange",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Audit Authentication Policy Change;ExpectedValue', '=', parameters('AuditAuthenticationPolicyChange'), ',', 'Audit Authorization Policy Change;ExpectedValue', '=', parameters('AuditAuthorizationPolicyChange')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2a7a701e-dff3-4da9-9ec5-42cb98594c0b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2a7a701e-dff3-4da9-9ec5-42cb98594c0b"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 2 [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'System Audit Policies - Privilege Use'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SystemAuditPoliciesPrivilegeUse",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesPrivilegeUse",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/87845465-c458-45f3-af66-dcd62176f397",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "87845465-c458-45f3-af66-dcd62176f397"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 2 [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'System Audit Policies - System'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SystemAuditPoliciesSystem",
        "version": "1.*",
        "configurationParameter": {
          "AuditOtherSystemEvents": "Audit Other System Events;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "AuditOtherSystemEvents": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Other System Events",
          "description": "Specifies whether audit events are generated for Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SystemAuditPoliciesSystem",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Audit Other System Events;ExpectedValue', '=', parameters('AuditOtherSystemEvents')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8316fa92-d69c-4810-8124-62414f560dcf",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8316fa92-d69c-4810-8124-62414f560dcf"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 1 [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'User Rights Assignment'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_UserRightsAssignment",
        "version": "1.*",
        "configurationParameter": {
          "UsersOrGroupsThatMayAccessThisComputerFromTheNetwork": "Access this computer from the network;ExpectedValue",
          "UsersOrGroupsThatMayLogOnLocally": "Allow log on locally;ExpectedValue",
          "UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices": "Allow log on through Remote Desktop Services;ExpectedValue",
          "UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": "Deny access to this computer from the network;ExpectedValue",
          "UsersOrGroupsThatMayManageAuditingAndSecurityLog": "Manage auditing and security log;ExpectedValue",
          "UsersOrGroupsThatMayBackUpFilesAndDirectories": "Back up files and directories;ExpectedValue",
          "UsersOrGroupsThatMayChangeTheSystemTime": "Change the system time;ExpectedValue",
          "UsersOrGroupsThatMayChangeTheTimeZone": "Change the time zone;ExpectedValue",
          "UsersOrGroupsThatMayCreateATokenObject": "Create a token object;ExpectedValue",
          "UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob": "Deny log on as a batch job;ExpectedValue",
          "UsersAndGroupsThatAreDeniedLoggingOnAsAService": "Deny log on as a service;ExpectedValue",
          "UsersAndGroupsThatAreDeniedLocalLogon": "Deny log on locally;ExpectedValue",
          "UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": "Deny log on through Remote Desktop Services;ExpectedValue",
          "UserAndGroupsThatMayForceShutdownFromARemoteSystem": "Force shutdown from a remote system;ExpectedValue",
          "UsersAndGroupsThatMayRestoreFilesAndDirectories": "Restore files and directories;ExpectedValue",
          "UsersAndGroupsThatMayShutDownTheSystem": "Shut down the system;ExpectedValue",
          "UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": "Take ownership of files or other objects;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "UsersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may access this computer from the network",
          "description": "Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."
        },
        "defaultValue": "Administrators, Authenticated Users"
      },
      "UsersOrGroupsThatMayLogOnLocally": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may log on locally",
          "description": "Specifies which users or groups can interactively log on to the computer. Users who attempt to log on via Remote Desktop Connection or IIS also require this user right."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may log on through Remote Desktop Services",
          "description": "Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."
        },
        "defaultValue": "Administrators, Remote Desktop Users"
      },
      "UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied access to this computer from the network",
          "description": "Specifies which users or groups are explicitly prohibited from connecting to the computer across the network."
        },
        "defaultValue": "Guests"
      },
      "UsersOrGroupsThatMayManageAuditingAndSecurityLog": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may manage auditing and security log",
          "description": "Specifies users and groups permitted to change the auditing options for files and directories and clear the Security log."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayBackUpFilesAndDirectories": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may back up files and directories",
          "description": "Specifies users and groups allowed to circumvent file and directory permissions to back up the system."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "UsersOrGroupsThatMayChangeTheSystemTime": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may change the system time",
          "description": "Specifies which users and groups are permitted to change the time and date on the internal clock of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "UsersOrGroupsThatMayChangeTheTimeZone": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may change the time zone",
          "description": "Specifies which users and groups are permitted to change the time zone of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "UsersOrGroupsThatMayCreateATokenObject": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may create a token object",
          "description": "Specifies which users and groups are permitted to create an access token, which may provide elevated rights to access sensitive data."
        },
        "defaultValue": "No One"
      },
      "UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied logging on as a batch job",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer as a batch job (i.e. scheduled task)."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLoggingOnAsAService": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied logging on as a service",
          "description": "Specifies which service accounts are explicitly not permitted to register a process as a service."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLocalLogon": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied local logon",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied log on through Remote Desktop Services",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer via Terminal Services/Remote Desktop Client."
        },
        "defaultValue": "Guests"
      },
      "UserAndGroupsThatMayForceShutdownFromARemoteSystem": {
        "type": "String",
        "metadata": {
          "displayName": "User and groups that may force shutdown from a remote system",
          "description": "Specifies which users and groups are permitted to shut down the computer from a remote location on the network."
        },
        "defaultValue": "Administrators"
      },
      "UsersAndGroupsThatMayRestoreFilesAndDirectories": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that may restore files and directories",
          "description": "Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "UsersAndGroupsThatMayShutDownTheSystem": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that may shut down the system",
          "description": "Specifies which users and groups who are logged on locally to the computers in your environment are permitted to shut down the operating system with the Shut Down command."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may take ownership of files or other objects",
          "description": "Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user."
        },
        "defaultValue": "Administrators"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_UserRightsAssignment",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Access this computer from the network;ExpectedValue', '=', parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'), ',', 'Allow log on locally;ExpectedValue', '=', parameters('UsersOrGroupsThatMayLogOnLocally'), ',', 'Allow log on through Remote Desktop Services;ExpectedValue', '=', parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'), ',', 'Deny access to this computer from the network;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'), ',', 'Manage auditing and security log;ExpectedValue', '=', parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog'), ',', 'Back up files and directories;ExpectedValue', '=', parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories'), ',', 'Change the system time;ExpectedValue', '=', parameters('UsersOrGroupsThatMayChangeTheSystemTime'), ',', 'Change the time zone;ExpectedValue', '=', parameters('UsersOrGroupsThatMayChangeTheTimeZone'), ',', 'Create a token object;ExpectedValue', '=', parameters('UsersOrGroupsThatMayCreateATokenObject'), ',', 'Deny log on as a batch job;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'), ',', 'Deny log on as a service;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService'), ',', 'Deny log on locally;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLocalLogon'), ',', 'Deny log on through Remote Desktop Services;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'), ',', 'Force shutdown from a remote system;ExpectedValue', '=', parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem'), ',', 'Restore files and directories;ExpectedValue', '=', parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories'), ',', 'Shut down the system;ExpectedValue', '=', parameters('UsersAndGroupsThatMayShutDownTheSystem'), ',', 'Take ownership of files or other objects;ExpectedValue', '=', parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e068b215-0026-4354-b347-8fb2766f73a2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e068b215-0026-4354-b347-8fb2766f73a2"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 4 [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Windows Components'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_WindowsComponents",
        "version": "1.*",
        "configurationParameter": {
          "SendFileSamplesWhenFurtherAnalysisIsRequired": "Send file samples when further analysis is required;ExpectedValue",
          "AllowIndexingOfEncryptedFiles": "Allow indexing of encrypted files;ExpectedValue",
          "AllowTelemetry": "Allow Telemetry;ExpectedValue",
          "AllowUnencryptedTraffic": "Allow unencrypted traffic;ExpectedValue",
          "AlwaysInstallWithElevatedPrivileges": "Always install with elevated privileges;ExpectedValue",
          "AlwaysPromptForPasswordUponConnection": "Always prompt for password upon connection;ExpectedValue",
          "ApplicationSpecifyTheMaximumLogFileSizeKB": "Application: Specify the maximum log file size (KB);ExpectedValue",
          "AutomaticallySendMemoryDumpsForOSgeneratedErrorReports": "Automatically send memory dumps for OS-generated error reports;ExpectedValue",
          "ConfigureDefaultConsent": "Configure Default consent;ExpectedValue",
          "ConfigureWindowsSmartScreen": "Configure Windows SmartScreen;ExpectedValue",
          "DisallowDigestAuthentication": "Disallow Digest authentication;ExpectedValue",
          "DisallowWinRMFromStoringRunAsCredentials": "Disallow WinRM from storing RunAs credentials;ExpectedValue",
          "DoNotAllowPasswordsToBeSaved": "Do not allow passwords to be saved;ExpectedValue",
          "SecuritySpecifyTheMaximumLogFileSizeKB": "Security: Specify the maximum log file size (KB);ExpectedValue",
          "SetClientConnectionEncryptionLevel": "Set client connection encryption level;ExpectedValue",
          "SetTheDefaultBehaviorForAutoRun": "Set the default behavior for AutoRun;ExpectedValue",
          "SetupSpecifyTheMaximumLogFileSizeKB": "Setup: Specify the maximum log file size (KB);ExpectedValue",
          "SystemSpecifyTheMaximumLogFileSizeKB": "System: Specify the maximum log file size (KB);ExpectedValue",
          "TurnOffDataExecutionPreventionForExplorer": "Turn off Data Execution Prevention for Explorer;ExpectedValue",
          "SpecifyTheIntervalToCheckForDefinitionUpdates": "Specify the interval to check for definition updates;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "SendFileSamplesWhenFurtherAnalysisIsRequired": {
        "type": "String",
        "metadata": {
          "displayName": "Send file samples when further analysis is required",
          "description": "Specifies whether and how Windows Defender will submit samples of suspected malware  to Microsoft for further analysis when opt-in for MAPS telemetry is set."
        },
        "defaultValue": "1"
      },
      "AllowIndexingOfEncryptedFiles": {
        "type": "String",
        "metadata": {
          "displayName": "Allow indexing of encrypted files",
          "description": "Specifies whether encrypted items are allowed to be indexed."
        },
        "defaultValue": "0"
      },
      "AllowTelemetry": {
        "type": "String",
        "metadata": {
          "displayName": "Allow Telemetry",
          "description": "Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and sensitive data is not sent."
        },
        "defaultValue": "2"
      },
      "AllowUnencryptedTraffic": {
        "type": "String",
        "metadata": {
          "displayName": "Allow unencrypted traffic",
          "description": "Specifies whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network."
        },
        "defaultValue": "0"
      },
      "AlwaysInstallWithElevatedPrivileges": {
        "type": "String",
        "metadata": {
          "displayName": "Always install with elevated privileges",
          "description": "Specifies whether Windows Installer should use system permissions when it installs any program on the system."
        },
        "defaultValue": "0"
      },
      "AlwaysPromptForPasswordUponConnection": {
        "type": "String",
        "metadata": {
          "displayName": "Always prompt for password upon connection",
          "description": "Specifies whether Terminal Services/Remote Desktop Connection always prompts the client computer for a password upon connection."
        },
        "defaultValue": "1"
      },
      "ApplicationSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "Application: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Application event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "AutomaticallySendMemoryDumpsForOSgeneratedErrorReports": {
        "type": "String",
        "metadata": {
          "displayName": "Automatically send memory dumps for OS-generated error reports",
          "description": "Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft automatically."
        },
        "defaultValue": "1"
      },
      "ConfigureDefaultConsent": {
        "type": "String",
        "metadata": {
          "displayName": "Configure Default consent",
          "description": "Specifies setting of the default consent handling for error reports sent to Microsoft."
        },
        "defaultValue": "4"
      },
      "ConfigureWindowsSmartScreen": {
        "type": "String",
        "metadata": {
          "displayName": "Configure Windows SmartScreen",
          "description": "Specifies how to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled."
        },
        "defaultValue": "1"
      },
      "DisallowDigestAuthentication": {
        "type": "String",
        "metadata": {
          "displayName": "Disallow Digest authentication",
          "description": "Specifies whether the Windows Remote Management (WinRM) client will not use Digest authentication."
        },
        "defaultValue": "0"
      },
      "DisallowWinRMFromStoringRunAsCredentials": {
        "type": "String",
        "metadata": {
          "displayName": "Disallow WinRM from storing RunAs credentials",
          "description": "Specifies whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins."
        },
        "defaultValue": "1"
      },
      "DoNotAllowPasswordsToBeSaved": {
        "type": "String",
        "metadata": {
          "displayName": "Do not allow passwords to be saved",
          "description": "Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords on a computer."
        },
        "defaultValue": "1"
      },
      "SecuritySpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "Security: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Security event log in kilobytes."
        },
        "defaultValue": "196608"
      },
      "SetClientConnectionEncryptionLevel": {
        "type": "String",
        "metadata": {
          "displayName": "Set client connection encryption level",
          "description": "Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption."
        },
        "defaultValue": "3"
      },
      "SetTheDefaultBehaviorForAutoRun": {
        "type": "String",
        "metadata": {
          "displayName": "Set the default behavior for AutoRun",
          "description": "Specifies the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines."
        },
        "defaultValue": "1"
      },
      "SetupSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "Setup: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Setup event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "SystemSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "System: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the System event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "TurnOffDataExecutionPreventionForExplorer": {
        "type": "String",
        "metadata": {
          "displayName": "Turn off Data Execution Prevention for Explorer",
          "description": "Specifies whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer."
        },
        "defaultValue": "0"
      },
      "SpecifyTheIntervalToCheckForDefinitionUpdates": {
        "type": "String",
        "metadata": {
          "displayName": "Specify the interval to check for definition updates",
          "description": "Specifies an interval at which to check for Windows Defender definition updates. The time value is represented as the number of hours between update checks."
        },
        "defaultValue": "8"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_WindowsComponents",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Send file samples when further analysis is required;ExpectedValue', '=', parameters('SendFileSamplesWhenFurtherAnalysisIsRequired'), ',', 'Allow indexing of encrypted files;ExpectedValue', '=', parameters('AllowIndexingOfEncryptedFiles'), ',', 'Allow Telemetry;ExpectedValue', '=', parameters('AllowTelemetry'), ',', 'Allow unencrypted traffic;ExpectedValue', '=', parameters('AllowUnencryptedTraffic'), ',', 'Always install with elevated privileges;ExpectedValue', '=', parameters('AlwaysInstallWithElevatedPrivileges'), ',', 'Always prompt for password upon connection;ExpectedValue', '=', parameters('AlwaysPromptForPasswordUponConnection'), ',', 'Application: Specify the maximum log file size (KB);ExpectedValue', '=', parameters('ApplicationSpecifyTheMaximumLogFileSizeKB'), ',', 'Automatically send memory dumps for OS-generated error reports;ExpectedValue', '=', parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'), ',', 'Configure Default consent;ExpectedValue', '=', parameters('ConfigureDefaultConsent'), ',', 'Configure Windows SmartScreen;ExpectedValue', '=', parameters('ConfigureWindowsSmartScreen'), ',', 'Disallow Digest authentication;ExpectedValue', '=', parameters('DisallowDigestAuthentication'), ',', 'Disallow WinRM from storing RunAs credentials;ExpectedValue', '=', parameters('DisallowWinRMFromStoringRunAsCredentials'), ',', 'Do not allow passwords to be saved;ExpectedValue', '=', parameters('DoNotAllowPasswordsToBeSaved'), ',', 'Security: Specify the maximum log file size (KB);ExpectedValue', '=', parameters('SecuritySpecifyTheMaximumLogFileSizeKB'), ',', 'Set client connection encryption level;ExpectedValue', '=', parameters('SetClientConnectionEncryptionLevel'), ',', 'Set the default behavior for AutoRun;ExpectedValue', '=', parameters('SetTheDefaultBehaviorForAutoRun'), ',', 'Setup: Specify the maximum log file size (KB);ExpectedValue', '=', parameters('SetupSpecifyTheMaximumLogFileSizeKB'), ',', 'System: Specify the maximum log file size (KB);ExpectedValue', '=', parameters('SystemSpecifyTheMaximumLogFileSizeKB'), ',', 'Turn off Data Execution Prevention for Explorer;ExpectedValue', '=', parameters('TurnOffDataExecutionPreventionForExplorer'), ',', 'Specify the interval to check for definition updates;ExpectedValue', '=', parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8537fe96-8cbe-43de-b0ef-131bc72bc22a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8537fe96-8cbe-43de-b0ef-131bc72bc22a"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 1 [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Windows Firewall Properties'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_WindowsFirewallProperties",
        "version": "1.*",
        "configurationParameter": {
          "WindowsFirewallDomainUseProfileSettings": "Windows Firewall: Domain: Firewall state;ExpectedValue",
          "WindowsFirewallDomainBehaviorForOutboundConnections": "Windows Firewall: Domain: Outbound connections;ExpectedValue",
          "WindowsFirewallDomainApplyLocalConnectionSecurityRules": "Windows Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue",
          "WindowsFirewallDomainApplyLocalFirewallRules": "Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue",
          "WindowsFirewallDomainDisplayNotifications": "Windows Firewall: Domain: Settings: Display a notification;ExpectedValue",
          "WindowsFirewallPrivateUseProfileSettings": "Windows Firewall: Private: Firewall state;ExpectedValue",
          "WindowsFirewallPrivateBehaviorForOutboundConnections": "Windows Firewall: Private: Outbound connections;ExpectedValue",
          "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": "Windows Firewall: Private: Settings: Apply local connection security rules;ExpectedValue",
          "WindowsFirewallPrivateApplyLocalFirewallRules": "Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue",
          "WindowsFirewallPrivateDisplayNotifications": "Windows Firewall: Private: Settings: Display a notification;ExpectedValue",
          "WindowsFirewallPublicUseProfileSettings": "Windows Firewall: Public: Firewall state;ExpectedValue",
          "WindowsFirewallPublicBehaviorForOutboundConnections": "Windows Firewall: Public: Outbound connections;ExpectedValue",
          "WindowsFirewallPublicApplyLocalConnectionSecurityRules": "Windows Firewall: Public: Settings: Apply local connection security rules;ExpectedValue",
          "WindowsFirewallPublicApplyLocalFirewallRules": "Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue",
          "WindowsFirewallPublicDisplayNotifications": "Windows Firewall: Public: Settings: Display a notification;ExpectedValue",
          "WindowsFirewallDomainAllowUnicastResponse": "Windows Firewall: Domain: Allow unicast response;ExpectedValue",
          "WindowsFirewallPrivateAllowUnicastResponse": "Windows Firewall: Private: Allow unicast response;ExpectedValue",
          "WindowsFirewallPublicAllowUnicastResponse": "Windows Firewall: Public: Allow unicast response;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "WindowsFirewallDomainUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Domain profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallDomainApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Private profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Public profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Domain: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Domain profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Private: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Private profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Public: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Public profile."
        },
        "defaultValue": "1"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_WindowsFirewallProperties",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('Windows Firewall: Domain: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallDomainUseProfileSettings'), ',', 'Windows Firewall: Domain: Outbound connections;ExpectedValue', '=', parameters('WindowsFirewallDomainBehaviorForOutboundConnections'), ',', 'Windows Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue', '=', parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules'), ',', 'Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue', '=', parameters('WindowsFirewallDomainApplyLocalFirewallRules'), ',', 'Windows Firewall: Domain: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallDomainDisplayNotifications'), ',', 'Windows Firewall: Private: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPrivateUseProfileSettings'), ',', 'Windows Firewall: Private: Outbound connections;ExpectedValue', '=', parameters('WindowsFirewallPrivateBehaviorForOutboundConnections'), ',', 'Windows Firewall: Private: Settings: Apply local connection security rules;ExpectedValue', '=', parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules'), ',', 'Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue', '=', parameters('WindowsFirewallPrivateApplyLocalFirewallRules'), ',', 'Windows Firewall: Private: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPrivateDisplayNotifications'), ',', 'Windows Firewall: Public: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPublicUseProfileSettings'), ',', 'Windows Firewall: Public: Outbound connections;ExpectedValue', '=', parameters('WindowsFirewallPublicBehaviorForOutboundConnections'), ',', 'Windows Firewall: Public: Settings: Apply local connection security rules;ExpectedValue', '=', parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules'), ',', 'Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue', '=', parameters('WindowsFirewallPublicApplyLocalFirewallRules'), ',', 'Windows Firewall: Public: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPublicDisplayNotifications'), ',', 'Windows Firewall: Domain: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallDomainAllowUnicastResponse'), ',', 'Windows Firewall: Private: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallPrivateAllowUnicastResponse'), ',', 'Windows Firewall: Public: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallPublicAllowUnicastResponse')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/35d9882c-993d-44e6-87d2-db66ce21b636",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "35d9882c-993d-44e6-87d2-db66ce21b636"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 3 [Preview]: Motion Picture Association of America (MPAA) (/providers/microsoft.authorization/policysetdefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8), HITRUST/HIPAA (/providers/microsoft.authorization/policysetdefinitions/a169a624-5599-4385-a696-c8d643089fab), [Preview]: Windows machines should meet requirements for the Azure compute security baseline (/providers/microsoft.authorization/policysetdefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821) n/a
{
  "properties": {
    "displayName": "Windows machines should only have local accounts that are allowed",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "LocalUsers_Windows",
        "version": "1.*",
        "configurationParameter": {
          "Allowed": "[LocalUser]Accounts;Exclude"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "Allowed": {
        "type": "String",
        "metadata": {
          "displayName": "Allowed local accounts",
          "description": "List the name of accounts that should be excluded, seperated by a semicolon (';'). If these accounts exist and are enabled, they will be identified as Compliant."
        },
        "defaultValue": ""
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2012*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2012*"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2012*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2012*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "LocalUsers_Windows",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[LocalUser]Accounts;Exclude', '=', parameters('Allowed')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f79fef0d-0050-4c18-a303-5babb9c14ac7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f79fef0d-0050-4c18-a303-5babb9c14ac7"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a false 0 n/a n/a
{
  "properties": {
    "displayName": "Windows web servers should be configured to use secure communication protocols",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "3.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AuditSecureProtocol",
        "version": "1.*",
        "configurationParameter": {
          "MinimumTLSVersion": "[SecureWebServer]s1;MinimumTLSVersion"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "MinimumTLSVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum TLS version",
          "description": "The minimum TLS protocol version that should be enabled. Windows web servers with lower TLS versions will be marked as non-compliant."
        },
        "allowedValues": [
          "1.1",
          "1.2"
        ],
        "defaultValue": "1.1"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
                "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AuditSecureProtocol",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
                "equals": "[base64(concat('[SecureWebServer]s1;MinimumTLSVersion', '=', parameters('MinimumTLSVersion')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5752e6d6-1206-46d8-8ab1-ecc2f71a8112"
}
BuiltIn Guest Configuration False False n/a n/a AuditIfNotExists false 0 n/a true 15 [Preview]: NIST SP 800-171 R2 (/providers/microsoft.authorization/policysetdefinitions/03055927-78bd-4236-86c0-f36125a10dc9), IRS1075 September 2016 (/providers/microsoft.authorization/policysetdefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d), [Preview]: NIST SP 800-53 Rev. 5 (/providers/microsoft.authorization/policysetdefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f), Azure Security Benchmark (/providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8), [Preview]: Australian Government ISM PROTECTED (/providers/microsoft.authorization/policysetdefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077), UK OFFICIAL and UK NHS (/providers/microsoft.authorization/policysetdefinitions/3937f550-eedd-4639-9c5e-294358be442e), [Preview]: SWIFT CSP-CSCF v2020 (/providers/microsoft.authorization/policysetdefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22), Canada Federal PBMM (/providers/microsoft.authorization/policysetdefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87), [Deprecated]: DoD Impact Level 4 (/providers/microsoft.authorization/policysetdefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133), [Preview]: CMMC Level 3 (/providers/microsoft.authorization/policysetdefinitions/b5629c75-5c77-4422-87b9-2509e680f8de), [Deprecated]: Azure Security Benchmark v2 (/providers/microsoft.authorization/policysetdefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b), NIST SP 800-53 Rev. 4 (/providers/microsoft.authorization/policysetdefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f), New Zealand ISM Restricted (/providers/microsoft.authorization/policysetdefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a), FedRAMP High (/providers/microsoft.authorization/policysetdefinitions/d5264498-16f4-418a-b659-fa7ef418175f), FedRAMP Moderate (/providers/microsoft.authorization/policysetdefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693) n/a
{
  "properties": {
    "displayName": "Workbooks should be saved to storage accounts that you control",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "With bring your own storage (BYOS), your workbooks are uploaded into a storage account that you control. That means you control the encryption-at-rest policy, the lifetime management policy, and network access. You will, however, be responsible for the costs associated with that storage account. For more information, visit https://aka.ms/workbooksByos",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Audit, Deny, or Disable the execution of this policy"
        },
        "allowedValues": [
          "deny",
          "audit",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "microsoft.insights/workbooks"
          },
          {
            "field": "microsoft.insights/workbooks/storageUri",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6fc8115b-2008-441f-8c61-9b722c1e537f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6fc8115b-2008-441f-8c61-9b722c1e537f"
}
BuiltIn Monitoring False False n/a n/a audit false 0 n/a false 0 n/a n/a
JSON PolicySet Type Category Deprecated Preview Scope Mg/Sub Scope Name/Id hasAssignments Assignments Count Assignments
{
  "properties": {
    "displayName": "[Deprecated]: Audit Linux VMs that do not have the specified applications installed",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.1.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "ApplicationName": {
        "type": "String",
        "metadata": {
          "displayName": "Application names",
          "description": "A semicolon-separated list of the names of the applications that should be installed. e.g. 'python; powershell'"
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_InstalledApplicationLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721",
        "parameters": {
          "ApplicationName": {
            "value": "[parameters('ApplicationName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_InstalledApplicationLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/c937dcb4-4398-4b39-8d63-4a6be432252e",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "c937dcb4-4398-4b39-8d63-4a6be432252e"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Linux VMs that have the specified applications installed",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.1.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "ApplicationName": {
        "type": "String",
        "metadata": {
          "displayName": "Application names",
          "description": "A semicolon-separated list of the names of the applications that should not be installed. e.g. 'python; powershell'"
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_NotInstalledApplicationLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0",
        "parameters": {
          "ApplicationName": {
            "value": "[parameters('ApplicationName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_NotInstalledApplicationLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/f48bcc78-5400-4fb0-b913-5140a2e5fa20",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "f48bcc78-5400-4fb0-b913-5140a2e5fa20"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit VMs with insecure password security settings",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits virtual machines with insecure password security settings. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.1.1-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_MaximumPasswordAge",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934"
      },
      {
        "policyDefinitionReferenceId": "Deploy_MinimumPasswordAge",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df"
      },
      {
        "policyDefinitionReferenceId": "Deploy_PasswordMustMeetComplexityRequirements",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8"
      },
      {
        "policyDefinitionReferenceId": "Deploy_StorePasswordsUsingReversibleEncryption",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78"
      },
      {
        "policyDefinitionReferenceId": "Deploy_EnforcePasswordHistory",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6"
      },
      {
        "policyDefinitionReferenceId": "Deploy_MinimumPasswordLength",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca"
      },
      {
        "policyDefinitionReferenceId": "Deploy_PasswordPolicy_msid110",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592"
      },
      {
        "policyDefinitionReferenceId": "Deploy_PasswordPolicy_msid121",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9"
      },
      {
        "policyDefinitionReferenceId": "Deploy_PasswordPolicy_msid232",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe"
      },
      {
        "policyDefinitionReferenceId": "Audit_MaximumPasswordAge",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc"
      },
      {
        "policyDefinitionReferenceId": "Audit_MinimumPasswordAge",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7"
      },
      {
        "policyDefinitionReferenceId": "Audit_PasswordMustMeetComplexityRequirements",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb"
      },
      {
        "policyDefinitionReferenceId": "Audit_StorePasswordsUsingReversibleEncryption",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6"
      },
      {
        "policyDefinitionReferenceId": "Audit_EnforcePasswordHistory",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293"
      },
      {
        "policyDefinitionReferenceId": "Audit_MinimumPasswordLength",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec"
      },
      {
        "policyDefinitionReferenceId": "Audit_PasswordPolicy_msid110",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83"
      },
      {
        "policyDefinitionReferenceId": "Audit_PasswordPolicy_msid121",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b"
      },
      {
        "policyDefinitionReferenceId": "Audit_PasswordPolicy_msid232",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows Server VMs on which Windows Serial Console is not enabled",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "EMSPortNumber": {
        "type": "String",
        "metadata": {
          "displayName": "EMS Port Number",
          "description": "An integer indicating the COM port to be used for the Emergency Management Services (EMS) console redirection. For more information on EMS settings, please visit https://aka.ms/gcpolwsc"
        },
        "allowedValues": [
          "1",
          "2",
          "3",
          "4"
        ],
        "defaultValue": "1"
      },
      "EMSBaudRate": {
        "type": "String",
        "metadata": {
          "displayName": "EMS Baud Rate",
          "description": "An integer indicating the baud rate to be used for the Emergency Management Services (EMS) console redirection. For more information on EMS settings, please visit https://aka.ms/gcpolwsc"
        },
        "allowedValues": [
          "9600",
          "19200",
          "38400",
          "57600",
          "115200"
        ],
        "defaultValue": "115200"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_WindowsSerialConsole",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0",
        "parameters": {
          "EMSPortNumber": {
            "value": "[parameters('EMSPortNumber')]"
          },
          "EMSBaudRate": {
            "value": "[parameters('EMSBaudRate')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_WindowsSerialConsole",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/acb6cd8e-45f5-466f-b3cb-ff6fce525f71",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "acb6cd8e-45f5-466f-b3cb-ff6fce525f71"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs in which the Administrators group contains any of the specified members",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "MembersToExclude": {
        "type": "String",
        "metadata": {
          "displayName": "Members to exclude",
          "description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_AdministratorsGroupMembersToExclude",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba",
        "parameters": {
          "MembersToExclude": {
            "value": "[parameters('MembersToExclude')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_AdministratorsGroupMembersToExclude",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/add1999e-a61c-46d3-b8c3-f35fb8398175",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "add1999e-a61c-46d3-b8c3-f35fb8398175"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs in which the Administrators group does not contain all of the specified members",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "MembersToInclude": {
        "type": "String",
        "metadata": {
          "displayName": "Members to include",
          "description": "A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_AdministratorsGroupMembersToInclude",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98",
        "parameters": {
          "MembersToInclude": {
            "value": "[parameters('MembersToInclude')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_AdministratorsGroupMembersToInclude",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/133046de-0bd7-4546-93f4-f452e9e258b7",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "133046de-0bd7-4546-93f4-f452e9e258b7"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs in which the Administrators group does not contain only the specified members",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "Members": {
        "type": "String",
        "metadata": {
          "displayName": "Members",
          "description": "A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_AdministratorsGroupMembers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3",
        "parameters": {
          "Members": {
            "value": "[parameters('Members')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_AdministratorsGroupMembers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/06122b01-688c-42a8-af2e-fa97dd39aa3b",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "06122b01-688c-42a8-af2e-fa97dd39aa3b"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs on which the DSC configuration is not compliant",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_WindowsDscConfiguration",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a"
      },
      {
        "policyDefinitionReferenceId": "Audit_WindowsDscConfiguration",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/c58599d5-0d51-454f-aaf1-da18a5e76edd",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "c58599d5-0d51-454f-aaf1-da18a5e76edd"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs on which the Log Analytics agent is not connected as expected",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "WorkspaceId": {
        "type": "String",
        "metadata": {
          "displayName": "Connected workspace IDs",
          "description": "A semicolon-separated list of the workspace IDs that the Log Analytics agent should be connected to"
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_WindowsLogAnalyticsAgentConnection",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a",
        "parameters": {
          "WorkspaceId": {
            "value": "[parameters('WorkspaceId')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_WindowsLogAnalyticsAgentConnection",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/06c5e415-a662-463a-bb85-ede14286b979",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "06c5e415-a662-463a-bb85-ede14286b979"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs on which the remote host connection status does not match the specified one",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "host": {
        "type": "String",
        "metadata": {
          "displayName": "Remote Host Name",
          "description": "Specifies the Domain Name System (DNS) name or IP address of the remote host machine."
        }
      },
      "port": {
        "type": "String",
        "metadata": {
          "displayName": "Port",
          "description": "The TCP port number on the remote host name."
        }
      },
      "shouldConnect": {
        "type": "String",
        "metadata": {
          "displayName": "Should connect to remote host",
          "description": "Must be 'True' or 'False'. 'True' indicates that the virtual machine should be able to establish a connection with the remote host specified, so the machine will be non-compliant if it cannot establish a connection. 'False' indicates that the virtual machine should not be able to establish a connection with the remote host specified, so the machine will be non-compliant if it can establish a connection."
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_WindowsRemoteConnection",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a",
        "parameters": {
          "host": {
            "value": "[parameters('host')]"
          },
          "port": {
            "value": "[parameters('port')]"
          },
          "shouldConnect": {
            "value": "[parameters('shouldConnect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_WindowsRemoteConnection",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/4ddaefff-7c78-4824-9b27-5c344f3cdf90",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "4ddaefff-7c78-4824-9b27-5c344f3cdf90"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs on which the specified services are not installed and 'Running'",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "ServiceName": {
        "type": "String",
        "metadata": {
          "displayName": "Service names (supports wildcards)",
          "description": "A semicolon-separated list of the names of the services that should be installed and 'Running'. e.g. 'WinRm;Wi*'"
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_WindowsServiceStatus",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262",
        "parameters": {
          "ServiceName": {
            "value": "[parameters('ServiceName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_WindowsServiceStatus",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/8eeec860-e2fa-4f89-a669-84942c57225f",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "8eeec860-e2fa-4f89-a669-84942c57225f"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "NotAvailableMachineState": {
        "type": "String",
        "metadata": {
          "displayName": "State in which to show VMs on which Windows Defender Exploit Guard is not available",
          "description": "Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value to 'Non-Compliant' will make machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. Setting this value to 'Compliant' will make these machines compliant."
        },
        "allowedValues": [
          "Compliant",
          "Non-Compliant"
        ],
        "defaultValue": "Non-Compliant"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_WindowsDefenderExploitGuard",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d",
        "parameters": {
          "NotAvailableMachineState": {
            "value": "[parameters('NotAvailableMachineState')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_WindowsDefenderExploitGuard",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/9d2fd8e6-95c8-410d-add0-43ada4241574",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "9d2fd8e6-95c8-410d-add0-43ada4241574"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs that are not joined to the specified domain",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "DomainName": {
        "type": "String",
        "metadata": {
          "displayName": "Domain Name (FQDN)",
          "description": "The fully qualified domain name (FQDN) that the Windows VMs should be joined to"
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_WindowsDomainMembership",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970",
        "parameters": {
          "DomainName": {
            "value": "[parameters('DomainName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_WindowsDomainMembership",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/6b3c1e80-8ae5-405b-b021-c23d13b3959f",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "6b3c1e80-8ae5-405b-b021-c23d13b3959f"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs that are not set to the specified time zone",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "TimeZone": {
        "type": "String",
        "metadata": {
          "displayName": "Time zone",
          "description": "The expected time zone"
        },
        "allowedValues": [
          "(UTC-12:00) International Date Line West",
          "(UTC-11:00) Coordinated Universal Time-11",
          "(UTC-10:00) Aleutian Islands",
          "(UTC-10:00) Hawaii",
          "(UTC-09:30) Marquesas Islands",
          "(UTC-09:00) Alaska",
          "(UTC-09:00) Coordinated Universal Time-09",
          "(UTC-08:00) Baja California",
          "(UTC-08:00) Coordinated Universal Time-08",
          "(UTC-08:00) Pacific Time (US & Canada)",
          "(UTC-07:00) Arizona",
          "(UTC-07:00) Chihuahua, La Paz, Mazatlan",
          "(UTC-07:00) Mountain Time (US & Canada)",
          "(UTC-06:00) Central America",
          "(UTC-06:00) Central Time (US & Canada)",
          "(UTC-06:00) Easter Island",
          "(UTC-06:00) Guadalajara, Mexico City, Monterrey",
          "(UTC-06:00) Saskatchewan",
          "(UTC-05:00) Bogota, Lima, Quito, Rio Branco",
          "(UTC-05:00) Chetumal",
          "(UTC-05:00) Eastern Time (US & Canada)",
          "(UTC-05:00) Haiti",
          "(UTC-05:00) Havana",
          "(UTC-05:00) Indiana (East)",
          "(UTC-05:00) Turks and Caicos",
          "(UTC-04:00) Asuncion",
          "(UTC-04:00) Atlantic Time (Canada)",
          "(UTC-04:00) Caracas",
          "(UTC-04:00) Cuiaba",
          "(UTC-04:00) Georgetown, La Paz, Manaus, San Juan",
          "(UTC-04:00) Santiago",
          "(UTC-03:30) Newfoundland",
          "(UTC-03:00) Araguaina",
          "(UTC-03:00) Brasilia",
          "(UTC-03:00) Cayenne, Fortaleza",
          "(UTC-03:00) City of Buenos Aires",
          "(UTC-03:00) Greenland",
          "(UTC-03:00) Montevideo",
          "(UTC-03:00) Punta Arenas",
          "(UTC-03:00) Saint Pierre and Miquelon",
          "(UTC-03:00) Salvador",
          "(UTC-02:00) Coordinated Universal Time-02",
          "(UTC-02:00) Mid-Atlantic - Old",
          "(UTC-01:00) Azores",
          "(UTC-01:00) Cabo Verde Is.",
          "(UTC) Coordinated Universal Time",
          "(UTC+00:00) Dublin, Edinburgh, Lisbon, London",
          "(UTC+00:00) Monrovia, Reykjavik",
          "(UTC+00:00) Sao Tome",
          "(UTC+01:00) Casablanca",
          "(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna",
          "(UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague",
          "(UTC+01:00) Brussels, Copenhagen, Madrid, Paris",
          "(UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb",
          "(UTC+01:00) West Central Africa",
          "(UTC+02:00) Amman",
          "(UTC+02:00) Athens, Bucharest",
          "(UTC+02:00) Beirut",
          "(UTC+02:00) Cairo",
          "(UTC+02:00) Chisinau",
          "(UTC+02:00) Damascus",
          "(UTC+02:00) Gaza, Hebron",
          "(UTC+02:00) Harare, Pretoria",
          "(UTC+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius",
          "(UTC+02:00) Jerusalem",
          "(UTC+02:00) Kaliningrad",
          "(UTC+02:00) Khartoum",
          "(UTC+02:00) Tripoli",
          "(UTC+02:00) Windhoek",
          "(UTC+03:00) Baghdad",
          "(UTC+03:00) Istanbul",
          "(UTC+03:00) Kuwait, Riyadh",
          "(UTC+03:00) Minsk",
          "(UTC+03:00) Moscow, St. Petersburg",
          "(UTC+03:00) Nairobi",
          "(UTC+03:30) Tehran",
          "(UTC+04:00) Abu Dhabi, Muscat",
          "(UTC+04:00) Astrakhan, Ulyanovsk",
          "(UTC+04:00) Baku",
          "(UTC+04:00) Izhevsk, Samara",
          "(UTC+04:00) Port Louis",
          "(UTC+04:00) Saratov",
          "(UTC+04:00) Tbilisi",
          "(UTC+04:00) Volgograd",
          "(UTC+04:00) Yerevan",
          "(UTC+04:30) Kabul",
          "(UTC+05:00) Ashgabat, Tashkent",
          "(UTC+05:00) Ekaterinburg",
          "(UTC+05:00) Islamabad, Karachi",
          "(UTC+05:00) Qyzylorda",
          "(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi",
          "(UTC+05:30) Sri Jayawardenepura",
          "(UTC+05:45) Kathmandu",
          "(UTC+06:00) Astana",
          "(UTC+06:00) Dhaka",
          "(UTC+06:00) Omsk",
          "(UTC+06:30) Yangon (Rangoon)",
          "(UTC+07:00) Bangkok, Hanoi, Jakarta",
          "(UTC+07:00) Barnaul, Gorno-Altaysk",
          "(UTC+07:00) Hovd",
          "(UTC+07:00) Krasnoyarsk",
          "(UTC+07:00) Novosibirsk",
          "(UTC+07:00) Tomsk",
          "(UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi",
          "(UTC+08:00) Irkutsk",
          "(UTC+08:00) Kuala Lumpur, Singapore",
          "(UTC+08:00) Perth",
          "(UTC+08:00) Taipei",
          "(UTC+08:00) Ulaanbaatar",
          "(UTC+08:45) Eucla",
          "(UTC+09:00) Chita",
          "(UTC+09:00) Osaka, Sapporo, Tokyo",
          "(UTC+09:00) Pyongyang",
          "(UTC+09:00) Seoul",
          "(UTC+09:00) Yakutsk",
          "(UTC+09:30) Adelaide",
          "(UTC+09:30) Darwin",
          "(UTC+10:00) Brisbane",
          "(UTC+10:00) Canberra, Melbourne, Sydney",
          "(UTC+10:00) Guam, Port Moresby",
          "(UTC+10:00) Hobart",
          "(UTC+10:00) Vladivostok",
          "(UTC+10:30) Lord Howe Island",
          "(UTC+11:00) Bougainville Island",
          "(UTC+11:00) Chokurdakh",
          "(UTC+11:00) Magadan",
          "(UTC+11:00) Norfolk Island",
          "(UTC+11:00) Sakhalin",
          "(UTC+11:00) Solomon Is., New Caledonia",
          "(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky",
          "(UTC+12:00) Auckland, Wellington",
          "(UTC+12:00) Coordinated Universal Time+12",
          "(UTC+12:00) Fiji",
          "(UTC+12:00) Petropavlovsk-Kamchatsky - Old",
          "(UTC+12:45) Chatham Islands",
          "(UTC+13:00) Coordinated Universal Time+13",
          "(UTC+13:00) Nuku'alofa",
          "(UTC+13:00) Samoa",
          "(UTC+14:00) Kiritimati Island"
        ]
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_WindowsTimeZone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c",
        "parameters": {
          "TimeZone": {
            "value": "[parameters('TimeZone')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_WindowsTimeZone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/538942d3-3fae-4fb6-9d94-744f9a51e7da",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "538942d3-3fae-4fb6-9d94-744f9a51e7da"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs that contain certificates expiring within the specified number of days",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "CertificateStorePath": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate store path",
          "description": "The path to the certificate store containing the certificates to check the expiration dates of. Default value is 'Cert:' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: 'Cert:\\LocalMachine', 'Cert:\\LocalMachine\\TrustedPublisher', 'Cert:\\CurrentUser'"
        },
        "defaultValue": "Cert:"
      },
      "ExpirationLimitInDays": {
        "type": "String",
        "metadata": {
          "displayName": "Expiration limit in days",
          "description": "An integer indicating the number of days within which to check for certificates that are expiring. For example, if this value is 30, any certificate expiring within the next 30 days will cause this policy to be non-compliant."
        },
        "defaultValue": "30"
      },
      "CertificateThumbprintsToInclude": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate thumbprints to include",
          "description": "A semicolon-separated list of certificate thumbprints to check under the specified path. If a value is not specified, all certificates under the certificate store path will be checked. If a value is specified, no certificates other than those with the thumbprints specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
        },
        "defaultValue": ""
      },
      "CertificateThumbprintsToExclude": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate thumbprints to exclude",
          "description": "A semicolon-separated list of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
        },
        "defaultValue": ""
      },
      "IncludeExpiredCertificates": {
        "type": "String",
        "metadata": {
          "displayName": "Include expired certificates",
          "description": "Must be 'true' or 'false'. True indicates that any found certificates that have already expired will also make this policy non-compliant. False indicates that certificates that have expired will be be ignored."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_CertificateExpiration",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8",
        "parameters": {
          "CertificateStorePath": {
            "value": "[parameters('CertificateStorePath')]"
          },
          "ExpirationLimitInDays": {
            "value": "[parameters('ExpirationLimitInDays')]"
          },
          "CertificateThumbprintsToInclude": {
            "value": "[parameters('CertificateThumbprintsToInclude')]"
          },
          "CertificateThumbprintsToExclude": {
            "value": "[parameters('CertificateThumbprintsToExclude')]"
          },
          "IncludeExpiredCertificates": {
            "value": "[parameters('IncludeExpiredCertificates')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_CertificateExpiration",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/b6f5e05c-0aaa-4337-8dd4-357c399d12ae",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "b6f5e05c-0aaa-4337-8dd4-357c399d12ae"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs that do not contain the specified certificates in Trusted Root",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\\LocalMachine\\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "CertificateThumbprints": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate thumbprints",
          "description": "A semicolon-separated list of certificate thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_WindowsCertificateInTrustedRoot",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5",
        "parameters": {
          "CertificateThumbprints": {
            "value": "[parameters('CertificateThumbprints')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_WindowsCertificateInTrustedRoot",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/cdfcc6ff-945e-4bc6-857e-056cbc511e0c",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "cdfcc6ff-945e-4bc6-857e-056cbc511e0c"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs that do not have the specified applications installed",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "installedApplication": {
        "type": "String",
        "metadata": {
          "displayName": "Application names (supports wildcards)",
          "description": "A semicolon-separated list of the names of the applications that should be installed. e.g. 'Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL Server 2014*' (to match any application starting with 'Microsoft SQL Server 2014')"
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_InstalledApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6",
        "parameters": {
          "installedApplication": {
            "value": "[parameters('installedApplication')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_InstalledApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/25ef9b72-4af2-4501-acd1-fc814e73dde1",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "25ef9b72-4af2-4501-acd1-fc814e73dde1"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs that do not have the specified Windows PowerShell execution policy",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "ExecutionPolicy": {
        "type": "String",
        "metadata": {
          "displayName": "PowerShell Execution Policy",
          "description": "The expected PowerShell execution policy."
        },
        "allowedValues": [
          "AllSigned",
          "Bypass",
          "Default",
          "RemoteSigned",
          "Restricted",
          "Undefined",
          "Unrestricted"
        ]
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_WindowsPowerShellExecutionPolicy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615",
        "parameters": {
          "ExecutionPolicy": {
            "value": "[parameters('ExecutionPolicy')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_WindowsPowerShellExecutionPolicy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/f000289c-47af-4043-87da-91ba9e1a2720",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "f000289c-47af-4043-87da-91ba9e1a2720"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs that do not have the specified Windows PowerShell modules installed",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "Modules": {
        "type": "String",
        "metadata": {
          "displayName": "PowerShell Modules",
          "description": "A semicolon-separated list of the names of the PowerShell modules that should be installed. You may also specify a specific version of a module that should be installed by including a comma after the module name, followed by the desired version. e.g. PSDscResources; SqlServerDsc, 12.0.0.0; ComputerManagementDsc, 6.1.0.0"
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_WindowsPowerShellModules",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf",
        "parameters": {
          "Modules": {
            "value": "[parameters('Modules')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_WindowsPowerShellModules",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/c980fd64-c67f-49a6-a8a8-e57661150802",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "c980fd64-c67f-49a6-a8a8-e57661150802"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines with non-compliant Azure compute security baseline configurations. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "EnableInsecureGuestLogons": {
        "type": "String",
        "metadata": {
          "displayName": "Enable insecure guest logons",
          "description": "Specifies whether the SMB client will allow insecure guest logons to an SMB server."
        },
        "defaultValue": "0"
      },
      "AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain": {
        "type": "String",
        "metadata": {
          "displayName": "Allow simultaneous connections to the Internet or a Windows Domain",
          "description": "Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous connections, and a value of 1 blocks them."
        },
        "defaultValue": "1"
      },
      "TurnOffMulticastNameResolution": {
        "type": "String",
        "metadata": {
          "displayName": "Turn off multicast name resolution",
          "description": "Specifies whether LLMNR, a secondary name resolution protocol that transmits using multicast over a local subnet link on a single subnet, is enabled."
        },
        "defaultValue": "1"
      },
      "AlwaysUseClassicLogon": {
        "type": "String",
        "metadata": {
          "displayName": "Always use classic logon",
          "description": "Specifies whether to force the user to log on to the computer using the classic logon screen. This setting only works when the computer is not on a domain."
        },
        "defaultValue": "0"
      },
      "BootStartDriverInitializationPolicy": {
        "type": "String",
        "metadata": {
          "displayName": "Boot-Start Driver Initialization Policy",
          "description": "Specifies which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver."
        },
        "defaultValue": "3"
      },
      "EnableWindowsNTPClient": {
        "type": "String",
        "metadata": {
          "displayName": "Enable Windows NTP Client",
          "description": "Specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers."
        },
        "defaultValue": "1"
      },
      "TurnOnConveniencePINSignin": {
        "type": "String",
        "metadata": {
          "displayName": "Turn on convenience PIN sign-in",
          "description": "Specifies whether a domain user can sign in using a convenience PIN."
        },
        "defaultValue": "0"
      },
      "AccountsGuestAccountStatus": {
        "type": "String",
        "metadata": {
          "displayName": "Accounts: Guest account status",
          "description": "Specifies whether the local Guest account is disabled."
        },
        "defaultValue": "0"
      },
      "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": {
        "type": "String",
        "metadata": {
          "displayName": "Audit: Shut down system immediately if unable to log security audits",
          "description": "Audits if the system will shut down when unable to log Security events."
        },
        "defaultValue": "0"
      },
      "DevicesAllowedToFormatAndEjectRemovableMedia": {
        "type": "String",
        "metadata": {
          "displayName": "Devices: Allowed to format and eject removable media",
          "description": "Specifies who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges."
        },
        "defaultValue": "0"
      },
      "MicrosoftNetworkClientDigitallySignCommunicationsAlways": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network client: Digitally sign communications (always)",
          "description": "Specifies whether packet signing is required by the SMB client component."
        },
        "defaultValue": "1"
      },
      "MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network client: Send unencrypted password to third-party SMB servers",
          "description": "Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it."
        },
        "defaultValue": "0"
      },
      "MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Amount of idle time required before suspending session",
          "description": "Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is two integers separated by a comma, denoting an inclusive range."
        },
        "defaultValue": "1,15"
      },
      "MicrosoftNetworkServerDigitallySignCommunicationsAlways": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Digitally sign communications (always)",
          "description": "Specifies whether packet signing is required by the SMB server component."
        },
        "defaultValue": "1"
      },
      "MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Disconnect clients when logon hours expire",
          "description": "Specifies whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable 'Network security: Force logoff when logon hours expire'"
        },
        "defaultValue": "1"
      },
      "NetworkAccessRemotelyAccessibleRegistryPaths": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Remotely accessible registry paths",
          "description": "Specifies which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"
      },
      "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Remotely accessible registry paths and sub-paths",
          "description": "Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"
      },
      "NetworkAccessSharesThatCanBeAccessedAnonymously": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Shares that can be accessed anonymously",
          "description": "Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server."
        },
        "defaultValue": "0"
      },
      "NetworkSecurityConfigureEncryptionTypesAllowedForKerberos": {
        "type": "String",
        "metadata": {
          "displayName": "Network Security: Configure encryption types allowed for Kerberos",
          "description": "Specifies the encryption types that Kerberos is allowed to use."
        },
        "defaultValue": "2147483644"
      },
      "NetworkSecurityLANManagerAuthenticationLevel": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: LAN Manager authentication level",
          "description": "Specify which challenge-response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers."
        },
        "defaultValue": "5"
      },
      "NetworkSecurityLDAPClientSigningRequirements": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: LDAP client signing requirements",
          "description": "Specify the level of data signing that is requested on behalf of clients that issue LDAP BIND requests."
        },
        "defaultValue": "1"
      },
      "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",
          "description": "Specifies which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers for more information."
        },
        "defaultValue": "537395200"
      },
      "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",
          "description": "Specifies which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services."
        },
        "defaultValue": "537395200"
      },
      "RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": {
        "type": "String",
        "metadata": {
          "displayName": "Recovery console: Allow floppy copy and access to all drives and all folders",
          "description": "Specifies whether to make the Recovery Console SET command available, which allows setting of recovery console environment variables."
        },
        "defaultValue": "0"
      },
      "ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn": {
        "type": "String",
        "metadata": {
          "displayName": "Shutdown: Allow system to be shut down without having to log on",
          "description": "Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen."
        },
        "defaultValue": "0"
      },
      "ShutdownClearVirtualMemoryPagefile": {
        "type": "String",
        "metadata": {
          "displayName": "Shutdown: Clear virtual memory pagefile",
          "description": "Specifies whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properly. For systems with large amounts of RAM, this could result in substantial time needed to complete the shutdown."
        },
        "defaultValue": "0"
      },
      "SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies": {
        "type": "String",
        "metadata": {
          "displayName": "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies",
          "description": "Specifies whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). For certificate rules to take effect in software restriction policies, you must enable this policy setting."
        },
        "defaultValue": "1"
      },
      "UACAdminApprovalModeForTheBuiltinAdministratorAccount": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Admin Approval Mode for the Built-in Administrator account",
          "description": "Specifies the behavior of Admin Approval Mode for the built-in Administrator account."
        },
        "defaultValue": "1"
      },
      "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode",
          "description": "Specifies the behavior of the elevation prompt for administrators."
        },
        "defaultValue": "2"
      },
      "UACDetectApplicationInstallationsAndPromptForElevation": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Detect application installations and prompt for elevation",
          "description": "Specifies the behavior of application installation detection for the computer."
        },
        "defaultValue": "1"
      },
      "UACRunAllAdministratorsInAdminApprovalMode": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Run all administrators in Admin Approval Mode",
          "description": "Specifies the behavior of all User Account Control (UAC) policy settings for the computer."
        },
        "defaultValue": "1"
      },
      "EnforcePasswordHistory": {
        "type": "String",
        "metadata": {
          "displayName": "Enforce password history",
          "description": "Specifies limits on password reuse - how many times a new password must be created for a user account before the password can be repeated."
        },
        "defaultValue": "24"
      },
      "MaximumPasswordAge": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum password age",
          "description": "Specifies the maximum number of days that may elapse before a user account password must be changed. The format of the value is two integers separated by a comma, denoting an inclusive range."
        },
        "defaultValue": "1,70"
      },
      "MinimumPasswordAge": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password age",
          "description": "Specifies the minimum number of days that must elapse before a user account password can be changed."
        },
        "defaultValue": "1"
      },
      "MinimumPasswordLength": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password length",
          "description": "Specifies the minimum number of characters that a user account password may contain."
        },
        "defaultValue": "14"
      },
      "PasswordMustMeetComplexityRequirements": {
        "type": "String",
        "metadata": {
          "displayName": "Password must meet complexity requirements",
          "description": "Specifies whether a user account password must be complex. If required, a complex password must not contain part of  user's account name or full name; be at least 6 characters long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."
        },
        "defaultValue": "1"
      },
      "AuditCredentialValidation": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Credential Validation",
          "description": "Specifies whether audit events are generated when credentials are submitted for a user account logon request.  This setting is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success and Failure"
      },
      "AuditProcessTermination": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Process Termination",
          "description": "Specifies whether audit events are generated when a process has exited. Recommended for monitoring termination of critical processes."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditGroupMembership": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Group Membership",
          "description": "Specifies whether audit events are generated when group memberships are enumerated on the client computer."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success"
      },
      "AuditDetailedFileShare": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Detailed File Share",
          "description": "If this policy setting is enabled, access to all shared files and folders on the system is audited. Auditing for Success can lead to very high volumes of events."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditFileShare": {
        "type": "String",
        "metadata": {
          "displayName": "Audit File Share",
          "description": "Specifies whether to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks. Event volumes can be high on DCs and File Servers."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditFileSystem": {
        "type": "String",
        "metadata": {
          "displayName": "Audit File System",
          "description": "Specifies whether audit events are generated when users attempt to access file system objects. Audit events are generated only for objects that have configured system access control lists (SACLs)."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditAuthenticationPolicyChange": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Authentication Policy Change",
          "description": "Specifies whether audit events are generated when changes are made to authentication policy. This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success"
      },
      "AuditAuthorizationPolicyChange": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Authorization Policy Change",
          "description": "Specifies whether audit events are generated for assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditOtherSystemEvents": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Other System Events",
          "description": "Specifies whether audit events are generated for Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "UsersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may access this computer from the network",
          "description": "Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."
        },
        "defaultValue": "Administrators, Authenticated Users"
      },
      "UsersOrGroupsThatMayLogOnLocally": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may log on locally",
          "description": "Specifies which users or groups can interactively log on to the computer. Users who attempt to log on via Remote Desktop Connection or IIS also require this user right."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may log on through Remote Desktop Services",
          "description": "Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."
        },
        "defaultValue": "Administrators, Remote Desktop Users"
      },
      "UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied access to this computer from the network",
          "description": "Specifies which users or groups are explicitly prohibited from connecting to the computer across the network."
        },
        "defaultValue": "Guests"
      },
      "UsersOrGroupsThatMayManageAuditingAndSecurityLog": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may manage auditing and security log",
          "description": "Specifies users and groups permitted to change the auditing options for files and directories and clear the Security log."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayBackUpFilesAndDirectories": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may back up files and directories",
          "description": "Specifies users and groups allowed to circumvent file and directory permissions to back up the system."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "UsersOrGroupsThatMayChangeTheSystemTime": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may change the system time",
          "description": "Specifies which users and groups are permitted to change the time and date on the internal clock of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "UsersOrGroupsThatMayChangeTheTimeZone": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may change the time zone",
          "description": "Specifies which users and groups are permitted to change the time zone of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "UsersOrGroupsThatMayCreateATokenObject": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may create a token object",
          "description": "Specifies which users and groups are permitted to create an access token, which may provide elevated rights to access sensitive data."
        },
        "defaultValue": "No One"
      },
      "UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied logging on as a batch job",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer as a batch job (i.e. scheduled task)."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLoggingOnAsAService": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied logging on as a service",
          "description": "Specifies which service accounts are explicitly not permitted to register a process as a service."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLocalLogon": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied local logon",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied log on through Remote Desktop Services",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer via Terminal Services/Remote Desktop Client."
        },
        "defaultValue": "Guests"
      },
      "UserAndGroupsThatMayForceShutdownFromARemoteSystem": {
        "type": "String",
        "metadata": {
          "displayName": "User and groups that may force shutdown from a remote system",
          "description": "Specifies which users and groups are permitted to shut down the computer from a remote location on the network."
        },
        "defaultValue": "Administrators"
      },
      "UsersAndGroupsThatMayRestoreFilesAndDirectories": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that may restore files and directories",
          "description": "Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "UsersAndGroupsThatMayShutDownTheSystem": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that may shut down the system",
          "description": "Specifies which users and groups who are logged on locally to the computers in your environment are permitted to shut down the operating system with the Shut Down command."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may take ownership of files or other objects",
          "description": "Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user."
        },
        "defaultValue": "Administrators"
      },
      "SendFileSamplesWhenFurtherAnalysisIsRequired": {
        "type": "String",
        "metadata": {
          "displayName": "Send file samples when further analysis is required",
          "description": "Specifies whether and how Windows Defender will submit samples of suspected malware  to Microsoft for further analysis when opt-in for MAPS telemetry is set."
        },
        "defaultValue": "1"
      },
      "AllowIndexingOfEncryptedFiles": {
        "type": "String",
        "metadata": {
          "displayName": "Allow indexing of encrypted files",
          "description": "Specifies whether encrypted items are allowed to be indexed."
        },
        "defaultValue": "0"
      },
      "AllowTelemetry": {
        "type": "String",
        "metadata": {
          "displayName": "Allow Telemetry",
          "description": "Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and sensitive data is not sent."
        },
        "defaultValue": "2"
      },
      "AllowUnencryptedTraffic": {
        "type": "String",
        "metadata": {
          "displayName": "Allow unencrypted traffic",
          "description": "Specifies whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network."
        },
        "defaultValue": "0"
      },
      "AlwaysInstallWithElevatedPrivileges": {
        "type": "String",
        "metadata": {
          "displayName": "Always install with elevated privileges",
          "description": "Specifies whether Windows Installer should use system permissions when it installs any program on the system."
        },
        "defaultValue": "0"
      },
      "AlwaysPromptForPasswordUponConnection": {
        "type": "String",
        "metadata": {
          "displayName": "Always prompt for password upon connection",
          "description": "Specifies whether Terminal Services/Remote Desktop Connection always prompts the client computer for a password upon connection."
        },
        "defaultValue": "1"
      },
      "ApplicationSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "Application: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Application event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "AutomaticallySendMemoryDumpsForOSgeneratedErrorReports": {
        "type": "String",
        "metadata": {
          "displayName": "Automatically send memory dumps for OS-generated error reports",
          "description": "Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft automatically."
        },
        "defaultValue": "1"
      },
      "ConfigureDefaultConsent": {
        "type": "String",
        "metadata": {
          "displayName": "Configure Default consent",
          "description": "Specifies setting of the default consent handling for error reports sent to Microsoft."
        },
        "defaultValue": "4"
      },
      "ConfigureWindowsSmartScreen": {
        "type": "String",
        "metadata": {
          "displayName": "Configure Windows SmartScreen",
          "description": "Specifies how to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled."
        },
        "defaultValue": "1"
      },
      "DisallowDigestAuthentication": {
        "type": "String",
        "metadata": {
          "displayName": "Disallow Digest authentication",
          "description": "Specifies whether the Windows Remote Management (WinRM) client will not use Digest authentication."
        },
        "defaultValue": "0"
      },
      "DisallowWinRMFromStoringRunAsCredentials": {
        "type": "String",
        "metadata": {
          "displayName": "Disallow WinRM from storing RunAs credentials",
          "description": "Specifies whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins."
        },
        "defaultValue": "1"
      },
      "DoNotAllowPasswordsToBeSaved": {
        "type": "String",
        "metadata": {
          "displayName": "Do not allow passwords to be saved",
          "description": "Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords on a computer."
        },
        "defaultValue": "1"
      },
      "SecuritySpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "Security: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Security event log in kilobytes."
        },
        "defaultValue": "196608"
      },
      "SetClientConnectionEncryptionLevel": {
        "type": "String",
        "metadata": {
          "displayName": "Set client connection encryption level",
          "description": "Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption."
        },
        "defaultValue": "3"
      },
      "SetTheDefaultBehaviorForAutoRun": {
        "type": "String",
        "metadata": {
          "displayName": "Set the default behavior for AutoRun",
          "description": "Specifies the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines."
        },
        "defaultValue": "1"
      },
      "SetupSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "Setup: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Setup event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "SystemSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "System: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the System event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "TurnOffDataExecutionPreventionForExplorer": {
        "type": "String",
        "metadata": {
          "displayName": "Turn off Data Execution Prevention for Explorer",
          "description": "Specifies whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer."
        },
        "defaultValue": "0"
      },
      "SpecifyTheIntervalToCheckForDefinitionUpdates": {
        "type": "String",
        "metadata": {
          "displayName": "Specify the interval to check for definition updates",
          "description": "Specifies an interval at which to check for Windows Defender definition updates. The time value is represented as the number of hours between update checks."
        },
        "defaultValue": "8"
      },
      "WindowsFirewallDomainUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Domain profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallDomainApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Private profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Public profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Domain: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Domain profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Private: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Private profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Public: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Public profile."
        },
        "defaultValue": "1"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_AdministrativeTemplatesControlPanel",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d"
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_AdministrativeTemplatesNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8",
        "parameters": {
          "EnableInsecureGuestLogons": {
            "value": "[parameters('EnableInsecureGuestLogons')]"
          },
          "AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain": {
            "value": "[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]"
          },
          "TurnOffMulticastNameResolution": {
            "value": "[parameters('TurnOffMulticastNameResolution')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_AdministrativeTemplatesSystem",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899",
        "parameters": {
          "AlwaysUseClassicLogon": {
            "value": "[parameters('AlwaysUseClassicLogon')]"
          },
          "BootStartDriverInitializationPolicy": {
            "value": "[parameters('BootStartDriverInitializationPolicy')]"
          },
          "EnableWindowsNTPClient": {
            "value": "[parameters('EnableWindowsNTPClient')]"
          },
          "TurnOnConveniencePINSignin": {
            "value": "[parameters('TurnOnConveniencePINSignin')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_AdminstrativeTemplatesMSSLegacy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d"
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SecurityOptionsAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3",
        "parameters": {
          "AccountsGuestAccountStatus": {
            "value": "[parameters('AccountsGuestAccountStatus')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SecurityOptionsAudit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3",
        "parameters": {
          "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": {
            "value": "[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SecurityOptionsDevices",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897",
        "parameters": {
          "DevicesAllowedToFormatAndEjectRemovableMedia": {
            "value": "[parameters('DevicesAllowedToFormatAndEjectRemovableMedia')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SecurityOptionsInteractiveLogon",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9"
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkClient",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652",
        "parameters": {
          "MicrosoftNetworkClientDigitallySignCommunicationsAlways": {
            "value": "[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]"
          },
          "MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": {
            "value": "[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]"
          },
          "MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": {
            "value": "[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]"
          },
          "MicrosoftNetworkServerDigitallySignCommunicationsAlways": {
            "value": "[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]"
          },
          "MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire": {
            "value": "[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SecurityOptionsMicrosoftNetworkServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e"
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SecurityOptionsNetworkAccess",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a",
        "parameters": {
          "NetworkAccessRemotelyAccessibleRegistryPaths": {
            "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]"
          },
          "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
            "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]"
          },
          "NetworkAccessSharesThatCanBeAccessedAnonymously": {
            "value": "[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SecurityOptionsNetworkSecurity",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b",
        "parameters": {
          "NetworkSecurityConfigureEncryptionTypesAllowedForKerberos": {
            "value": "[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos')]"
          },
          "NetworkSecurityLANManagerAuthenticationLevel": {
            "value": "[parameters('NetworkSecurityLANManagerAuthenticationLevel')]"
          },
          "NetworkSecurityLDAPClientSigningRequirements": {
            "value": "[parameters('NetworkSecurityLDAPClientSigningRequirements')]"
          },
          "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients": {
            "value": "[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients')]"
          },
          "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers": {
            "value": "[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SecurityOptionsRecoveryconsole",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b",
        "parameters": {
          "RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": {
            "value": "[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SecurityOptionsShutdown",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da",
        "parameters": {
          "ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn": {
            "value": "[parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn')]"
          },
          "ShutdownClearVirtualMemoryPagefile": {
            "value": "[parameters('ShutdownClearVirtualMemoryPagefile')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SecurityOptionsSystemobjects",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa"
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SecurityOptionsSystemsettings",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5",
        "parameters": {
          "SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies": {
            "value": "[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SecurityOptionsUserAccountControl",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc",
        "parameters": {
          "UACAdminApprovalModeForTheBuiltinAdministratorAccount": {
            "value": "[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount')]"
          },
          "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": {
            "value": "[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]"
          },
          "UACDetectApplicationInstallationsAndPromptForElevation": {
            "value": "[parameters('UACDetectApplicationInstallationsAndPromptForElevation')]"
          },
          "UACRunAllAdministratorsInAdminApprovalMode": {
            "value": "[parameters('UACRunAllAdministratorsInAdminApprovalMode')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SecuritySettingsAccountPolicies",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c",
        "parameters": {
          "EnforcePasswordHistory": {
            "value": "[parameters('EnforcePasswordHistory')]"
          },
          "MaximumPasswordAge": {
            "value": "[parameters('MaximumPasswordAge')]"
          },
          "MinimumPasswordAge": {
            "value": "[parameters('MinimumPasswordAge')]"
          },
          "MinimumPasswordLength": {
            "value": "[parameters('MinimumPasswordLength')]"
          },
          "PasswordMustMeetComplexityRequirements": {
            "value": "[parameters('PasswordMustMeetComplexityRequirements')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SystemAuditPoliciesAccountLogon",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65",
        "parameters": {
          "AuditCredentialValidation": {
            "value": "[parameters('AuditCredentialValidation')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SystemAuditPoliciesAccountManagement",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29"
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SystemAuditPoliciesDetailedTracking",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505",
        "parameters": {
          "AuditProcessTermination": {
            "value": "[parameters('AuditProcessTermination')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SystemAuditPoliciesLogonLogoff",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930",
        "parameters": {
          "AuditGroupMembership": {
            "value": "[parameters('AuditGroupMembership')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SystemAuditPoliciesObjectAccess",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a",
        "parameters": {
          "AuditDetailedFileShare": {
            "value": "[parameters('AuditDetailedFileShare')]"
          },
          "AuditFileShare": {
            "value": "[parameters('AuditFileShare')]"
          },
          "AuditFileSystem": {
            "value": "[parameters('AuditFileSystem')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SystemAuditPoliciesPolicyChange",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13",
        "parameters": {
          "AuditAuthenticationPolicyChange": {
            "value": "[parameters('AuditAuthenticationPolicyChange')]"
          },
          "AuditAuthorizationPolicyChange": {
            "value": "[parameters('AuditAuthorizationPolicyChange')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SystemAuditPoliciesPrivilegeUse",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0"
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_SystemAuditPoliciesSystem",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473",
        "parameters": {
          "AuditOtherSystemEvents": {
            "value": "[parameters('AuditOtherSystemEvents')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_UserRightsAssignment",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24",
        "parameters": {
          "UsersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
            "value": "[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]"
          },
          "UsersOrGroupsThatMayLogOnLocally": {
            "value": "[parameters('UsersOrGroupsThatMayLogOnLocally')]"
          },
          "UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
            "value": "[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]"
          },
          "UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]"
          },
          "UsersOrGroupsThatMayManageAuditingAndSecurityLog": {
            "value": "[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]"
          },
          "UsersOrGroupsThatMayBackUpFilesAndDirectories": {
            "value": "[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]"
          },
          "UsersOrGroupsThatMayChangeTheSystemTime": {
            "value": "[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]"
          },
          "UsersOrGroupsThatMayChangeTheTimeZone": {
            "value": "[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]"
          },
          "UsersOrGroupsThatMayCreateATokenObject": {
            "value": "[parameters('UsersOrGroupsThatMayCreateATokenObject')]"
          },
          "UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]"
          },
          "UsersAndGroupsThatAreDeniedLoggingOnAsAService": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]"
          },
          "UsersAndGroupsThatAreDeniedLocalLogon": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]"
          },
          "UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]"
          },
          "UserAndGroupsThatMayForceShutdownFromARemoteSystem": {
            "value": "[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]"
          },
          "UsersAndGroupsThatMayRestoreFilesAndDirectories": {
            "value": "[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]"
          },
          "UsersAndGroupsThatMayShutDownTheSystem": {
            "value": "[parameters('UsersAndGroupsThatMayShutDownTheSystem')]"
          },
          "UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
            "value": "[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_WindowsComponents",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24",
        "parameters": {
          "SendFileSamplesWhenFurtherAnalysisIsRequired": {
            "value": "[parameters('SendFileSamplesWhenFurtherAnalysisIsRequired')]"
          },
          "AllowIndexingOfEncryptedFiles": {
            "value": "[parameters('AllowIndexingOfEncryptedFiles')]"
          },
          "AllowTelemetry": {
            "value": "[parameters('AllowTelemetry')]"
          },
          "AllowUnencryptedTraffic": {
            "value": "[parameters('AllowUnencryptedTraffic')]"
          },
          "AlwaysInstallWithElevatedPrivileges": {
            "value": "[parameters('AlwaysInstallWithElevatedPrivileges')]"
          },
          "AlwaysPromptForPasswordUponConnection": {
            "value": "[parameters('AlwaysPromptForPasswordUponConnection')]"
          },
          "ApplicationSpecifyTheMaximumLogFileSizeKB": {
            "value": "[parameters('ApplicationSpecifyTheMaximumLogFileSizeKB')]"
          },
          "AutomaticallySendMemoryDumpsForOSgeneratedErrorReports": {
            "value": "[parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports')]"
          },
          "ConfigureDefaultConsent": {
            "value": "[parameters('ConfigureDefaultConsent')]"
          },
          "ConfigureWindowsSmartScreen": {
            "value": "[parameters('ConfigureWindowsSmartScreen')]"
          },
          "DisallowDigestAuthentication": {
            "value": "[parameters('DisallowDigestAuthentication')]"
          },
          "DisallowWinRMFromStoringRunAsCredentials": {
            "value": "[parameters('DisallowWinRMFromStoringRunAsCredentials')]"
          },
          "DoNotAllowPasswordsToBeSaved": {
            "value": "[parameters('DoNotAllowPasswordsToBeSaved')]"
          },
          "SecuritySpecifyTheMaximumLogFileSizeKB": {
            "value": "[parameters('SecuritySpecifyTheMaximumLogFileSizeKB')]"
          },
          "SetClientConnectionEncryptionLevel": {
            "value": "[parameters('SetClientConnectionEncryptionLevel')]"
          },
          "SetTheDefaultBehaviorForAutoRun": {
            "value": "[parameters('SetTheDefaultBehaviorForAutoRun')]"
          },
          "SetupSpecifyTheMaximumLogFileSizeKB": {
            "value": "[parameters('SetupSpecifyTheMaximumLogFileSizeKB')]"
          },
          "SystemSpecifyTheMaximumLogFileSizeKB": {
            "value": "[parameters('SystemSpecifyTheMaximumLogFileSizeKB')]"
          },
          "TurnOffDataExecutionPreventionForExplorer": {
            "value": "[parameters('TurnOffDataExecutionPreventionForExplorer')]"
          },
          "SpecifyTheIntervalToCheckForDefinitionUpdates": {
            "value": "[parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Deploy_AzureBaseline_WindowsFirewallProperties",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9",
        "parameters": {
          "WindowsFirewallDomainUseProfileSettings": {
            "value": "[parameters('WindowsFirewallDomainUseProfileSettings')]"
          },
          "WindowsFirewallDomainBehaviorForOutboundConnections": {
            "value": "[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]"
          },
          "WindowsFirewallDomainApplyLocalConnectionSecurityRules": {
            "value": "[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]"
          },
          "WindowsFirewallDomainApplyLocalFirewallRules": {
            "value": "[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]"
          },
          "WindowsFirewallDomainDisplayNotifications": {
            "value": "[parameters('WindowsFirewallDomainDisplayNotifications')]"
          },
          "WindowsFirewallPrivateUseProfileSettings": {
            "value": "[parameters('WindowsFirewallPrivateUseProfileSettings')]"
          },
          "WindowsFirewallPrivateBehaviorForOutboundConnections": {
            "value": "[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]"
          },
          "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": {
            "value": "[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]"
          },
          "WindowsFirewallPrivateApplyLocalFirewallRules": {
            "value": "[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]"
          },
          "WindowsFirewallPrivateDisplayNotifications": {
            "value": "[parameters('WindowsFirewallPrivateDisplayNotifications')]"
          },
          "WindowsFirewallPublicUseProfileSettings": {
            "value": "[parameters('WindowsFirewallPublicUseProfileSettings')]"
          },
          "WindowsFirewallPublicBehaviorForOutboundConnections": {
            "value": "[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]"
          },
          "WindowsFirewallPublicApplyLocalConnectionSecurityRules": {
            "value": "[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]"
          },
          "WindowsFirewallPublicApplyLocalFirewallRules": {
            "value": "[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]"
          },
          "WindowsFirewallPublicDisplayNotifications": {
            "value": "[parameters('WindowsFirewallPublicDisplayNotifications')]"
          },
          "WindowsFirewallDomainAllowUnicastResponse": {
            "value": "[parameters('WindowsFirewallDomainAllowUnicastResponse')]"
          },
          "WindowsFirewallPrivateAllowUnicastResponse": {
            "value": "[parameters('WindowsFirewallPrivateAllowUnicastResponse')]"
          },
          "WindowsFirewallPublicAllowUnicastResponse": {
            "value": "[parameters('WindowsFirewallPublicAllowUnicastResponse')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_AdministrativeTemplatesControlPanel",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_AdministrativeTemplatesNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_AdministrativeTemplatesSystem",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_AdminstrativeTemplatesMSSLegacy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SecurityOptionsAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SecurityOptionsAudit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SecurityOptionsDevices",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SecurityOptionsInteractiveLogon",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkClient",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SecurityOptionsMicrosoftNetworkServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SecurityOptionsNetworkAccess",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SecurityOptionsNetworkSecurity",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SecurityOptionsRecoveryconsole",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SecurityOptionsShutdown",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SecurityOptionsSystemobjects",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SecurityOptionsSystemsettings",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SecurityOptionsUserAccountControl",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SecuritySettingsAccountPolicies",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SystemAuditPoliciesAccountLogon",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SystemAuditPoliciesAccountManagement",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SystemAuditPoliciesDetailedTracking",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SystemAuditPoliciesLogonLogoff",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SystemAuditPoliciesObjectAccess",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SystemAuditPoliciesPolicyChange",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SystemAuditPoliciesPrivilegeUse",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_SystemAuditPoliciesSystem",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_UserRightsAssignment",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_WindowsComponents",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897"
      },
      {
        "policyDefinitionReferenceId": "Audit_AzureBaseline_WindowsFirewallProperties",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/d618d658-b2d0-410e-9e2e-bfbfd04d09fa",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "d618d658-b2d0-410e-9e2e-bfbfd04d09fa"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs that have not restarted within the specified number of days",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "NumberOfDays": {
        "type": "String",
        "metadata": {
          "displayName": "Number of days",
          "description": "The number of days without restart until the machine is considered non-compliant"
        },
        "defaultValue": "12"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_MachineLastBootUpTime",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194",
        "parameters": {
          "NumberOfDays": {
            "value": "[parameters('NumberOfDays')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_MachineLastBootUpTime",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/b8b5b0a8-b809-4e5d-8082-382c686e35b7",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "b8b5b0a8-b809-4e5d-8082-382c686e35b7"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs that have the specified applications installed",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "ApplicationName": {
        "type": "String",
        "metadata": {
          "displayName": "Application names (supports wildcards)",
          "description": "A semicolon-separated list of the names of the applications that should not be installed. e.g. 'Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL Server 2014*' (to match any application starting with 'Microsoft SQL Server 2014')"
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_NotInstalledApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2",
        "parameters": {
          "ApplicationName": {
            "value": "[parameters('ApplicationName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_NotInstalledApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/d7fff7ea-9d47-4952-b854-b7da261e48f2",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "d7fff7ea-9d47-4952-b854-b7da261e48f2"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows VMs with a pending reboot",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_WindowsPendingReboot",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c"
      },
      {
        "policyDefinitionReferenceId": "Audit_WindowsPendingReboot",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/c96b2a9c-6fab-4ac2-ae21-502143491cd4",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "c96b2a9c-6fab-4ac2-ae21-502143491cd4"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Audit Windows web servers that are not using secure communication protocols",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Guest Configuration",
      "deprecated": true
    },
    "parameters": {
      "MinimumTLSVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum TLS version",
          "description": "The minimum TLS protocol version that should be enabled. Windows web servers with lower TLS versions will be marked as non-compliant."
        },
        "allowedValues": [
          "1.1",
          "1.2"
        ],
        "defaultValue": "1.1"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Deploy_WindowsTLS",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8",
        "parameters": {
          "MinimumTLSVersion": {
            "value": "[parameters('MinimumTLSVersion')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Audit_WindowsTLS",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/8bc55e6b-e9d5-4266-8dac-f688d151ec9c",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "8bc55e6b-e9d5-4266-8dac-f688d151ec9c"
}
BuiltIn Guest Configuration True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Azure Security Benchmark v1",
    "policyType": "BuiltIn",
    "description": "This initiative has been deprecated. The Azure Security Benchmark initiative now represents the Azure Security Benchmark v2 controls, and serves as the Azure Security Center default policy initiative. Please assign that initiative, or manage its policies and compliance results within Azure Security Center.",
    "metadata": {
      "version": "8.0.0-deprecated",
      "deprecated": true,
      "category": "Regulatory Compliance"
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers for Guest Configuration policies",
          "description": "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "listOfMembersToExcludeFromWindowsVMAdministratorsGroup": {
        "type": "String",
        "metadata": {
          "displayName": "List of users excluded from Windows VM Administrators group",
          "description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      },
      "listOfMembersToIncludeInWindowsVMAdministratorsGroup": {
        "type": "String",
        "metadata": {
          "displayName": "List of users that must be included in Windows VM Administrators group",
          "description": "A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      },
      "listOfOnlyMembersInWindowsVMAdministratorsGroup": {
        "type": "String",
        "metadata": {
          "displayName": "List of users that Windows VM Administrators group must *only* include",
          "description": "A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      },
      "listOfRegionsWhereNetworkWatcherShouldBeEnabled": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: List of regions where Network Watcher should be enabled",
          "description": "To see a complete list of regions use Get-AzLocation",
          "strongType": "location",
          "deprecated": true
        },
        "defaultValue": [
          "australiacentral",
          "australiacentral2",
          "australiaeast",
          "australiasoutheast",
          "brazilsouth",
          "canadacentral",
          "canadaeast",
          "centralindia",
          "centralus",
          "eastasia",
          "eastus",
          "eastus2",
          "francecentral",
          "francesouth",
          "germanynorth",
          "germanywestcentral",
          "global",
          "japaneast",
          "japanwest",
          "koreacentral",
          "koreasouth",
          "northcentralus",
          "northeurope",
          "norwayeast",
          "norwaywest",
          "southafricanorth",
          "southafricawest",
          "southcentralus",
          "southeastasia",
          "southindia",
          "switzerlandnorth",
          "switzerlandwest",
          "uaecentral",
          "uaenorth",
          "uksouth",
          "ukwest",
          "westcentralus",
          "westeurope",
          "westindia",
          "westus",
          "westus2"
        ]
      },
      "NetworkWatcherResourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "NetworkWatcher resource group name",
          "description": "Name of the resource group of NetworkWatcher, such as NetworkWatcherRG"
        },
        "defaultValue": "NetworkWatcherRG"
      },
      "approvedVirtualNetworkForVMs": {
        "type": "String",
        "metadata": {
          "displayName": "Virtual network where VMs should be connected",
          "description": "Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name",
          "strongType": "Microsoft.Network/virtualNetworks"
        }
      },
      "approvedNetworkGatewayforVirtualNetworks": {
        "type": "String",
        "metadata": {
          "displayName": "Network gateway that virtual networks should use",
          "description": "Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name",
          "strongType": "Microsoft.Network/virtualNetworkGateways"
        }
      },
      "listOfWorkspaceIDsForLogAnalyticsAgent": {
        "type": "String",
        "metadata": {
          "displayName": "List of workspace IDs where Log Analytics agents should connect",
          "description": "A semicolon-separated list of the workspace IDs that the Log Analytics agent should be connected to"
        }
      },
      "listOfResourceTypesWithDiagnosticLogsEnabled": {
        "type": "Array",
        "metadata": {
          "displayName": "List of resource types that should have resource logs enabled",
          "description": "Audit diagnostic setting for selected resource types"
        },
        "allowedValues": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ],
        "defaultValue": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ]
      },
      "PHPLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest PHP version",
          "description": "Latest supported PHP version for App Services"
        },
        "defaultValue": "7.3"
      },
      "JavaLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest Java version",
          "description": "Latest supported Java version for App Services"
        },
        "defaultValue": "11"
      },
      "WindowsPythonLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Latest Windows Python version",
          "description": "Latest supported Python version for App Services",
          "deprecated": true
        },
        "defaultValue": "3.6"
      },
      "LinuxPythonLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest Linux Python version",
          "description": "Latest supported Python version for App Services"
        },
        "defaultValue": "3.8"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "013e242c-8828-4970-87b3-ab247555486d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_9.1",
          "Azure_Security_Benchmark_v1.0_9.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "048248b0-55cd-46da-b1ff-39efd52db260",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1",
          "Azure_Security_Benchmark_v1.0_1.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_3.1",
          "Azure_Security_Benchmark_v1.0_3.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "0961003e-5a0a-4549-abde-af6a37f2724d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_7.11",
          "Azure_Security_Benchmark_v1.0_9.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_7.12"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "0ec47710-77ff-4a3d-9181-6aa50af424d0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_9.1",
          "Azure_Security_Benchmark_v1.0_9.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MembersToExclude": {
            "value": "[parameters('listOfMembersToExcludeFromWindowsVMAdministratorsGroup')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_3.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "17k78e20-9358-41c9-923c-fb736d382a12",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "1a4e592a-6a6e-44a5-9814-e36264ca96e7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_6.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_3.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "22730e10-96f6-4aac-ad84-9383d35b5917",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "26a828e1-e88f-464e-bbb3-c134a282b9de",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.8",
          "Azure_Security_Benchmark_v1.0_8.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "2b9ad585-36bc-4615-b300-fd4435808332",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_7.12"
        ]
      },
      {
        "policyDefinitionReferenceId": "2c89a2e5-7285-40fe-afe0-ae8654b92fb2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "2d21331d-a4c2-4def-a9ad-ee4e1e023beb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "34f95f76-5386-4de7-b824-0d8478470c9d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.11"
        ]
      },
      {
        "policyDefinitionReferenceId": "497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.11"
        ]
      },
      {
        "policyDefinitionReferenceId": "385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.11"
        ]
      },
      {
        "policyDefinitionReferenceId": "1221c620-d201-468c-81e7-2817e6107e84",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1221c620-d201-468c-81e7-2817e6107e84",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.11"
        ]
      },
      {
        "policyDefinitionReferenceId": "37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_6.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.5",
          "Azure_Security_Benchmark_v1.0_7.4",
          "Azure_Security_Benchmark_v1.0_7.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "404c3081-a854-4457-ae30-26a93ef643f9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "41388f1c-2db0-4c25-95b2-35d7f5ccbfa9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.2",
          "Azure_Security_Benchmark_v1.0_4.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "428256e6-1fac-4f48-a757-df34c2b3336d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "475aae12-b88a-4572-8b36-9b712b2b3a17",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.2",
          "Azure_Security_Benchmark_v1.0_2.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_6.8",
          "Azure_Security_Benchmark_v1.0_6.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "48af4db5-9b8b-401c-8e74-076be876a430",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_9.1",
          "Azure_Security_Benchmark_v1.0_9.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_3.1",
          "Azure_Security_Benchmark_v1.0_3.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_10.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_3.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_3.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "60d21c4f-21a3-4d94-85f4-b924e6aeeda4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "617c02be-7f02-4efd-8836-3180d47b6c68",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "6265018c-d7e2-432f-a75d-094d5f6f4465",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6265018c-d7e2-432f-a75d-094d5f6f4465",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "WorkspaceId": {
            "value": "[parameters('listOfWorkspaceIDsForLogAnalyticsAgent')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.2",
          "Azure_Security_Benchmark_v1.0_2.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_3.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "7c1b1214-f927-48bf-8882-84f0af6588b1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "7f89b1eb-583c-429a-8828-af049802c1d9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
        "parameters": {
          "listOfResourceTypes": {
            "value": "[parameters('listOfResourceTypesWithDiagnosticLogsEnabled')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "82339799-d096-41ae-8538-b108becf0970",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_9.1",
          "Azure_Security_Benchmark_v1.0_9.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "caf2d518-f029-4f6b-833b-d7081702f253",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/caf2d518-f029-4f6b-833b-d7081702f253",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.11"
        ]
      },
      {
        "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "9297c21d-2ed6-4474-b48f-163f75654ce3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_3.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MembersToInclude": {
            "value": "[parameters('listOfMembersToIncludeInWindowsVMAdministratorsGroup')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_3.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "67e010c1-640d-438e-a3a5-feaccb533a98",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67e010c1-640d-438e-a3a5-feaccb533a98",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.11"
        ]
      },
      {
        "policyDefinitionReferenceId": "a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "a4af4a39-4135-47fb-b175-47fbdf85311d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "a70ca396-0a34-413a-88e1-b956c1e683be",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.2",
          "Azure_Security_Benchmark_v1.0_2.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_3.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.7",
          "Azure_Security_Benchmark_v1.0_4.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.7",
          "Azure_Security_Benchmark_v1.0_4.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ae5d2f14-d830-42b6-9899-df6cfe9c71a3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.8",
          "Azure_Security_Benchmark_v1.0_8.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1",
          "Azure_Security_Benchmark_v1.0_1.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_3.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "parameters": {
          "resourceGroupName": {
            "value": "[parameters('NetworkWatcherResourceGroupName')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.2",
          "Azure_Security_Benchmark_v1.0_1.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "3d2a3320-2a72-4c67-ac5f-caa40fbee2b2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3d2a3320-2a72-4c67-ac5f-caa40fbee2b2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "Members": {
            "value": "[parameters('listOfOnlyMembersInWindowsVMAdministratorsGroup')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_3.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "bd352bd5-2853-4985-bf0d-73806b4a5744",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "c43e4a30-77cb-48ab-a4dd-93f175c63b57",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.8",
          "Azure_Security_Benchmark_v1.0_8.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "c4857be7-912a-4c75-87e6-e30292bcdf78",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_7.12"
        ]
      },
      {
        "policyDefinitionReferenceId": "c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.1",
          "Azure_Security_Benchmark_v1.0_4.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "d38fc420-0735-4ef3-ac11-c806f651a570",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_9.1",
          "Azure_Security_Benchmark_v1.0_9.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "d416745a-506c-48b6-8ab1-83cb814bcaa3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3",
        "parameters": {
          "virtualNetworkId": {
            "value": "[parameters('approvedVirtualNetworkForVMs')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "d63edb4a-c612-454d-b47d-191a724fcbf0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.5",
          "Azure_Security_Benchmark_v1.0_7.4",
          "Azure_Security_Benchmark_v1.0_7.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "e3576e28-8b17-4677-84c3-db2990658d64",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_3.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "e71308d3-144b-4262-b144-efdc3cc90517",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "e8cbc669-f12d-49eb-93e7-9273119e9933",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.5",
          "Azure_Security_Benchmark_v1.0_7.4",
          "Azure_Security_Benchmark_v1.0_7.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ea4d6841-2173-4317-9747-ff522a45120f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_3.1",
          "Azure_Security_Benchmark_v1.0_3.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "efbde977-ba53-4479-b8e9-10b957924fbf",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.2",
          "Azure_Security_Benchmark_v1.0_2.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "f1776c76-f58c-4245-a8d0-2b207198dc8b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f1776c76-f58c-4245-a8d0-2b207198dc8b",
        "parameters": {
          "virtualNetworkGatewayId": {
            "value": "[parameters('approvedNetworkGatewayforVirtualNetworks')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.11"
        ]
      },
      {
        "policyDefinitionReferenceId": "f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_3.1",
          "Azure_Security_Benchmark_v1.0_3.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "f9d614c5-c173-4d56-95a7-b4437057d193",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "parameters": {
          "PHPLatestVersion": {
            "value": "[parameters('PHPLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "7261b898-8a84-4db8-9e04-18527132abb3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
        "parameters": {
          "PHPLatestVersion": {
            "value": "[parameters('PHPLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "496223c3-ad65-4ecd-878a-bae78737e9ed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
        "parameters": {
          "JavaLatestVersion": {
            "value": "[parameters('JavaLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "parameters": {
          "JavaLatestVersion": {
            "value": "[parameters('JavaLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "88999f4c-376a-45c8-bcb3-4058f713cf39",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
        "parameters": {
          "JavaLatestVersion": {
            "value": "[parameters('JavaLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "7008174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {
          "LinuxPythonLatestVersion": {
            "value": "[parameters('LinuxPythonLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "7238174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {
          "LinuxPythonLatestVersion": {
            "value": "[parameters('LinuxPythonLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "74c3584d-afae-46f7-a20a-6f8adba71a16",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
        "parameters": {
          "LinuxPythonLatestVersion": {
            "value": "[parameters('LinuxPythonLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "fb893a29-21bb-418c-a157-e99480ec364c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "0564d078-92f5-4f97-8398-b9f58a51f70b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "0a1302fb-a631-4106-9753-f3d494733990",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "7595c971-233d-4bcf-bd18-596129188c49",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "fc5e4038-4584-4632-8c85-c0448d374b2c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_1.1",
          "Azure_Security_Benchmark_v1.0_1.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "7ff426e2-515f-405a-91c8-4f2333442eb5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "89099bee-89e0-4b26-a5f4-165451757743",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_2.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "399b2637-a50f-4f95-96f8-3a145476eb15",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v1.0_4.4"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "Azure_Security_Benchmark_v1.0_1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.1"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.2"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.3"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_1.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.4"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_1.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.5"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_1.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.6"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_1.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.7"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_1.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.8"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_1.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.9"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_1.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.10"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_1.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.11"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.1"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.2"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.3"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_2.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.4"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_2.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.5"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_2.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.6"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_2.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.7"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_2.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.8"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_2.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.9"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_2.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.10"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_3.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.1"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_3.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.2"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_3.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.3"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_3.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.4"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_3.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.5"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_3.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.6"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_3.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.7"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_3.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.8"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_3.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.9"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_3.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.10"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_3.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.11"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_3.12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.12"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_3.13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.13"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_4.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.1"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_4.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.2"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_4.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.3"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_4.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.4"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_4.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.5"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_4.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.6"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_4.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.7"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_4.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.8"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_4.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.9"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_5.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_5.1"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_5.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_5.2"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_5.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_5.3"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_5.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_5.4"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_5.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_5.5"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_6.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.1"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_6.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.2"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_6.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.3"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_6.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.4"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_6.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.5"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_6.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.6"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_6.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.7"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_6.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.8"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_6.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.9"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_6.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.10"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_6.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.11"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_6.12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.12"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_6.13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.13"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_7.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.1"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_7.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.2"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_7.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.3"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_7.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.4"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_7.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.5"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_7.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.6"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_7.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.7"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_7.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.8"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_7.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.9"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_7.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.10"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_7.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.11"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_7.12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.12"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_7.13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.13"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_8.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_8.1"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_8.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_8.2"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_8.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_8.3"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_9.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_9.1"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_9.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_9.2"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_9.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_9.3"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_9.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_9.4"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_10.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_10.1"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_10.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_10.2"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_10.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_10.4"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_10.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_10.5"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_10.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_10.6"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_11.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_11.1"
      },
      {
        "name": "Azure_Security_Benchmark_v1.0_10.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_10.3"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "42a694ed-f65e-42b2-aa9e-8052e9740a92"
}
BuiltIn Regulatory Compliance True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: Azure Security Benchmark v2",
    "policyType": "BuiltIn",
    "description": "This initiative has been deprecated. The Azure Security Benchmark v2 policy set is now represented in the consolidated Azure Security Benchmark initiative, which also serves as the Azure Security Center default policy initiative. Please assign that initiative, or manage its policies and compliance results within Azure Security Center",
    "metadata": {
      "version": "2.1.1-deprecated",
      "deprecated": true,
      "category": "Regulatory Compliance"
    },
    "parameters": {
      "effect-e71308d3-144b-4262-b144-efdc3cc90517": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Subnets should be associated with a Network Security Group",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Internet-facing virtual machines should be protected with network security groups",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-bd352bd5-2853-4985-bf0d-73806b4a5744": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: IP Forwarding on your virtual machine should be disabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-22730e10-96f6-4aac-ad84-9383d35b5917": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Management ports should be closed on your virtual machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Management ports of virtual machines should be protected with just-in-time network access control",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-fc5e4038-4584-4632-8c85-c0448d374b2c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: All Internet traffic should be routed via your deployed Azure Firewall",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-34c877ad-507e-4c82-993e-3452a6e0ad3c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0e246bcf-5f6f-4f87-bc6f-775d4712c7ea": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Authorized IP ranges should be defined on Kubernetes Services",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-08e6af2d-db70-460a-bfe9-d5bd474ba9d6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Adaptive Network Hardening recommendations should be applied on internet facing virtual machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-55615ac9-af46-4a59-874e-391cc3dfb490": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Firewall should be enabled on Key Vault",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cosmos DB accounts should have firewall rules",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-037eea7a-bd0a-46c5-9a66-03aea78705d3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should restrict network access",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access should be disabled for Cognitive Services accounts",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access using virtual network rules",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d0793b48-0edc-4296-a390-4c75d1bdfd71": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should not allow unrestricted network access",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-b52376f7-9612-48a1-81cd-1ffe4b61032c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access should be disabled for PostgreSQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d9844e8a-1437-4aeb-a32c-0c992f056095": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access should be disabled for MySQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-fdccbe47-f3e3-4213-ad5d-ea459b2fa077": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access should be disabled for MariaDB servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: API Management services should use a virtual network",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b": {
        "type": "Array",
        "metadata": {
          "displayName": "API Management SKUs that should use a virtual network",
          "description": "List of API Management SKUs against which this policy will be evaluated"
        },
        "allowedValues": [
          "Developer",
          "Basic",
          "Standard",
          "Premium",
          "Consumption"
        ],
        "defaultValue": [
          "Developer",
          "Premium"
        ]
      },
      "effect-0564d078-92f5-4f97-8398-b9f58a51f70b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Private endpoint should be enabled for PostgreSQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0a1302fb-a631-4106-9753-f3d494733990": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Private endpoint should be enabled for MariaDB servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7595c971-233d-4bcf-bd18-596129188c49": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Private endpoint should be enabled for MySQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-2154edb9-244f-4741-9970-660785bccdaa": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: VM Image Builder templates should use private link",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-40cec1dd-a100-4920-b15b-3024fe8901ab": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Machine Learning workspaces should use private link",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-4b90e17e-8448-49db-875e-bd83fb6f804f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Event Grid topics should use private links",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-53503636-bcc9-4748-9663-5348217f160f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure SignalR Service should use private links",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-5f0bc445-3935-4915-9981-011aa2b46147": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Private endpoint should be configured for Key Vault",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-6edd7eda-6dd8-40f7-810d-67160c639cd9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account should use a private link connection",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-9830b652-8523-49cc-b1b3-e17dce1127ca": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Event Grid domains should use private links",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ca610c1d-041c-4332-9d88-7ed3094967c7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: App Configuration should use a private link",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e8eef0a8-67cf-4eb4-9386-14b0e78733d4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should use private links",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-7d092e0a-7acd-40d2-a975-dca21cae48c4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cache for Redis should reside within a virtual network",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-af35e2a4-ef96-44e7-a9ae-853dd97032c4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Spring Cloud should use network injection",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Spring Cloud SKUs that should use network injection",
          "description": "List of Azure Spring Cloud SKUs against which this policy will be evaluated"
        },
        "allowedValues": [
          "Standard"
        ],
        "defaultValue": [
          "Standard"
        ]
      },
      "effect-a7aca53f-2ed4-4466-a25e-0b45ade68efd": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure DDoS Protection Standard should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: SSH access from the Internet should be blocked",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-e372f825-a257-4fb8-9175-797a8a8627d6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: RDP access from the Internet should be blocked",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Azure Front Door Service",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Application Gateway",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1f314764-cb73-4fc9-b863-8eca98ac36e9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An Azure Active Directory administrator should be provisioned for SQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Service Fabric clusters should only use Azure Active Directory for client authentication",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0da106f2-4ca3-48e8-bc85-c638fe6aea8f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Managed identity should be used in your Function App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-2b9ad585-36bc-4615-b300-fd4435808332": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Managed identity should be used in your Web App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-c4d441f8-f9d9-4a9e-9cef-e82117cb3eef": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Managed identity should be used in your API App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-6646a0bd-e110-40ca-bb97-84fcee63c414": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Service principals should be used to protect your subscriptions instead of management certificates",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-aa633080-8b72-40c4-a2d7-d00c03e80bed": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled on accounts with owner permissions on your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-9297c21d-2ed6-4474-b48f-163f75654ce3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled accounts with write permissions on your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e3576e28-8b17-4677-84c3-db2990658d64": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled on accounts with read permissions on your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-4f11b553-d42e-4e3a-89be-32ca364cad4c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: A maximum of 3 owners should be designated for your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: There should be more than one owner assigned to your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f8456c1c-aa66-4dfb-861a-25d127b775c9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with owner permissions should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Deprecated accounts with owner permissions should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Deprecated accounts should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with read permissions should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with write permissions should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Role-Based Access Control (RBAC) should be used on Kubernetes Services",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Audit usage of custom RBAC rules",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Custom subscription owner roles should not exist",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Sensitive data in your SQL databases should be classified",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account public access should be disallowed",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Storage should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-6581d072-105e-4418-827f-bd446d56421b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for SQL servers on machines should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Azure SQL Database servers should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Advanced data security should be enabled on SQL Managed Instance",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-17k78e20-9358-41c9-923c-fb736d382a12": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Transparent Data Encryption on SQL databases should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0961003e-5a0a-4549-abde-af6a37f2724d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Effect for policy: Cognitive Services accounts should enable data encryption",
          "description": "For more information about effects, visit https://aka.ms/policyeffects",
          "deprecated": true
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "effect-404c3081-a854-4457-ae30-26a93ef643f9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Secure transfer to storage accounts should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Latest TLS version should be used in your API App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Latest TLS version should be used in your Web App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f9d614c5-c173-4d56-95a7-b4437057d193": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Latest TLS version should be used in your Function App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Function App should only be accessible over HTTPS",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-a4af4a39-4135-47fb-b175-47fbdf85311d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application should only be accessible over HTTPS",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: API App should only be accessible over HTTPS",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Enforce SSL connection should be enabled for MySQL database servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Enforce SSL connection should be enabled for PostgreSQL database servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Only secure connections to your Azure Cache for Redis should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-399b2637-a50f-4f95-96f8-3a145476eb15": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: FTPS only should be required in your Function App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: FTPS should be required in your Web App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-9a1b8c48-453a-4044-86c3-d8bfd823e4f5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: FTPS only should be required in your API App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Enforce HTTPS ingress in Kubernetes cluster",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespaces excluded from evaluation of policy: Enforce HTTPS ingress in Kubernetes cluster",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "IncludeArcMachines-5752e6d6-1206-46d8-8ab1-ecc2f71a8112": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating policy: Audit Windows web servers that are not using secure communication protocols",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum TLS version for Windows web servers",
          "description": "Windows web servers with lower TLS versions will be assessed as non-compliant"
        },
        "allowedValues": [
          "1.1",
          "1.2"
        ],
        "defaultValue": "1.2"
      },
      "effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: SQL server TDE protector should be encrypted with your own key",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-048248b0-55cd-46da-b1ff-39efd52db260": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: SQL Managed Instance TDE protector should be encrypted with your own key",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-3657f5a0-770e-44a3-b44e-9431ba1e9735": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Automation account variables should be encrypted",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-617c02be-7f02-4efd-8836-3180d47b6c68": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-11566b39-f7f7-4b82-ab06-68d8700eb0a4": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Effect for policy: Cognitive Services accounts should use customer owned storage or enable data encryption.",
          "description": "For more information about effects, visit https://aka.ms/policyeffects",
          "deprecated": true
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cosmos DB account should use customer-managed keys to encrypt data at rest",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should be encrypted with a customer-managed key",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should enable data encryption with customer-managed key",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-6fac406b-40ca-413b-bf8e-0bf964659c25": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account should use customer-managed key for encryption",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Machine Learning workspaces should be encrypted with a customer-managed key",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-18adea5e-f416-4d0f-8aa8-d24321e3e274": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Bring your own key data protection should be enabled for PostgreSQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-83cef61d-dbd1-4b20-a4fc-5fbc7da10833": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Bring your own key data protection should be enabled for MySQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Virtual machines should be migrated to new Azure Resource Manager resources",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should be migrated to new Azure Resource Manager resources",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-47a6b606-51aa-4496-8bb7-64b11cf66adc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Adaptive application controls for defining safe applications should be enabled on your machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0e6763cc-5078-4e64-889d-ff4d9a839047": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Key Vault should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-2913021d-f2fd-4f3d-b958-22354e2bdbcb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for App Service should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for servers should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-523b5cd1-3e23-492f-a539-13118b6d1e3a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Kubernetes should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for container registries should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-2f2ee1de-44aa-4762-b6bd-0893fc3f306d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Network traffic data collection agent should be installed on Windows virtual machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-04c4380f-3fae-46e8-96c9-30193528f602": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Network traffic data collection agent should be installed on Linux virtual machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "listOfLocations-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: List of regions where Network Watcher should be enabled",
          "description": "To see a complete list of regions, run the PowerShell command Get-AzLocation",
          "strongType": "location",
          "deprecated": true
        },
        "defaultValue": [
          "[]"
        ]
      },
      "resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6": {
        "type": "String",
        "metadata": {
          "displayName": "Name of the resource group for Network Watcher",
          "description": "Name of the resource group where Network Watchers are located"
        },
        "defaultValue": "NetworkWatcherRG"
      },
      "effect-057ef27e-665e-4328-8ea3-04b3122bd9fb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Azure Data Lake Store should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays-057ef27e-665e-4328-8ea3-04b3122bd9fb": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for Azure Data Lake Store resource logs"
        },
        "defaultValue": "365"
      },
      "effect-34f95f76-5386-4de7-b824-0d8478470c9d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Logic Apps should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays-34f95f76-5386-4de7-b824-0d8478470c9d": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for Logic Apps resource logs"
        },
        "defaultValue": "365"
      },
      "effect-383856f8-de7f-44a2-81fc-e5135b5c2aa4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in IoT Hub should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays-383856f8-de7f-44a2-81fc-e5135b5c2aa4": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for IoT Hub resource logs"
        },
        "defaultValue": "365"
      },
      "effect-428256e6-1fac-4f48-a757-df34c2b3336d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Batch accounts should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays-428256e6-1fac-4f48-a757-df34c2b3336d": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for Azure Batch resource logs"
        },
        "defaultValue": "365"
      },
      "effect-7c1b1214-f927-48bf-8882-84f0af6588b1": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Virtual Machine Scale Sets should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Include AKS clusters when auditing if virtual machine scale set resource logs are enabled"
        },
        "defaultValue": false
      },
      "effect-83a214f7-d01a-484b-91a9-ed54470c9a6a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Event Hub should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays-83a214f7-d01a-484b-91a9-ed54470c9a6a": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for Event Hub resource logs"
        },
        "defaultValue": "365"
      },
      "effect-b4330a05-a843-4bc8-bf9a-cacce50c67f4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Search services should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays-b4330a05-a843-4bc8-bf9a-cacce50c67f4": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for Azure Search resource logs"
        },
        "defaultValue": "365"
      },
      "effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in App Services should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-c95c74d9-38fe-4f0d-af86-0c7d626a315c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Data Lake Analytics should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays-c95c74d9-38fe-4f0d-af86-0c7d626a315c": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for Data Lake Analytics resource logs"
        },
        "defaultValue": "365"
      },
      "effect-cf820ca0-f99e-4f3e-84fb-66e913812d21": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Key Vault should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays-cf820ca0-f99e-4f3e-84fb-66e913812d21": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for Key Vault resource logs"
        },
        "defaultValue": "365"
      },
      "effect-f8d36e2f-389b-4ee4-898d-21aeb69a0f45": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Service Bus should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays-f8d36e2f-389b-4ee4-898d-21aeb69a0f45": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for Service Bus resource logs"
        },
        "defaultValue": "365"
      },
      "effect-f9be5368-9bf5-4b84-9e0a-7850da98bb46": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Azure Stream Analytics should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays-f9be5368-9bf5-4b84-9e0a-7850da98bb46": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for Azure Stream Analytics resource logs"
        },
        "defaultValue": "365"
      },
      "effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Auditing on SQL server should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9": {
        "type": "String",
        "metadata": {
          "displayName": "Required auditing setting for SQL servers"
        },
        "allowedValues": [
          "enabled",
          "Disabled"
        ],
        "defaultValue": "enabled"
      },
      "effect-a4fe33eb-e377-4efb-ab31-0784311bc499": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-a3a6ea0c-e018-4933-9ef0-5aaa1501449b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-475aae12-b88a-4572-8b36-9b712b2b3a17": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-d62cfe2b-3ab0-4d41-980d-76803b58ca65": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Log Analytics agent health issues should be resolved on your machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-842c54e8-c2f9-4d79-ae8d-38d8b8019373": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Log Analytics agent should be installed on your Linux Azure Arc machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Log Analytics agent should be installed on your Windows Azure Arc machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: A security contact email address should be provided for your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-6e2593d9-add6-4083-9c9b-4b7d2188c899": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Email notification for high severity alerts should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0b15565f-aa9e-48ba-8619-45960f2c314d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Email notification to subscription owner for high severity alerts should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: CORS should not allow every resource to access your Web Applications",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: CORS should not allow every resource to access your Function Apps",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: CORS should not allow every resource to access your API App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Remote debugging should be turned off for Web Applications",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Remote debugging should be turned off for Function Apps",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Remote debugging should be turned off for API Apps",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0c192fe8-9cbb-4516-85b3-0ade8bd03886": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-eaebaea7-8013-4ceb-9d14-7eb32271373c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure Function app has 'Client Certificates (Incoming client certificates)' set to 'On'",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-5bb220d9-2698-4ee4-8404-b9c30c9df609": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0a15ec92-a229-4763-bb14-0ea34a568f8d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469": {
        "type": "String",
        "metadata": {
          "displayName": "Allowed container images for Kubernetes clusters",
          "description": "Regular expression used to match allowed container images in a Kubernetes cluster; Ex: allow any Azure Container Registry image by matching partial path: ^.+azurecr.io/.+$"
        },
        "defaultValue": "^(.+){0}$"
      },
      "effect-febd0533-8e55-448f-b837-bd0e06f16469": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure only allowed container images in Kubernetes cluster",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces-febd0533-8e55-448f-b837-bd0e06f16469": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespaces excluded from evaluation of policy: Ensure only allowed container images in Kubernetes cluster",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "effect-95edb821-ddaf-4404-9732-666045e056b4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Do not allow privileged containers in Kubernetes cluster",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces-95edb821-ddaf-4404-9732-666045e056b4": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespaces excluded from evaluation of policy: Do not allow privileged containers in Kubernetes cluster",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "allowedContainerPortsList-440b515e-a580-421e-abeb-b159a61ddcbc": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed container ports in Kubernetes clusters"
        },
        "defaultValue": [
          "-1"
        ]
      },
      "effect-440b515e-a580-421e-abeb-b159a61ddcbc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure containers listen only on allowed ports in Kubernetes cluster",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces-440b515e-a580-421e-abeb-b159a61ddcbc": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespaces excluded from evaluation of policy: Ensure containers listen only on allowed ports in Kubernetes cluster",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "allowedServicePortsList-233a2a17-77ca-4fb1-9b6b-69223d272a44": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed services ports in Kubernetes clusters"
        },
        "defaultValue": [
          "-1"
        ]
      },
      "effect-233a2a17-77ca-4fb1-9b6b-69223d272a44": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure services listen only on allowed ports in Kubernetes cluster",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces-233a2a17-77ca-4fb1-9b6b-69223d272a44": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespaces excluded from evaluation of policy: Ensure services listen only on allowed ports in Kubernetes cluster",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes clusters should not allow container privilege escalation",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespaces excluded from evaluation of policy: Kubernetes clusters should not allow container privilege escalation",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum allowed CPU units for containers in Kubernetes clusters",
          "description": "Ex: 200m; for more information, visit https://aka.ms/k8s-policy-pod-limits"
        },
        "defaultValue": "0"
      },
      "memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum allowed memory (bytes) for a container in Kubernetes clusters",
          "description": "Ex: 1Gi; for more information, visit https://aka.ms/k8s-policy-pod-limits"
        },
        "defaultValue": "0"
      },
      "effect-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespaces excluded from evaluation of policy: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pods and containers should only run with approved user and group IDs",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespaces excluded from evaluation of policy: Kubernetes cluster pods and containers should only run with approved user and group IDs",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should not share host process ID or host IPC namespace",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespaces excluded from evaluation of policy: Kubernetes cluster containers should not share host process ID or host IPC namespace",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "effect-df49d893-a74c-421d-bc95-c663042e5b80": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should run with a read only root file system",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces-df49d893-a74c-421d-bc95-c663042e5b80": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespaces excluded from evaluation of policy: Kubernetes cluster containers should run with a read only root file system",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed capabilities",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespaces excluded from evaluation of policy: Kubernetes cluster containers should only use allowed capabilities",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "allowedCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "Array",
        "metadata": {
          "displayName": "List of capabilities that are allowed to be added to a container",
          "description": "Provide empty list as input to block everything"
        },
        "defaultValue": [
          "[]"
        ]
      },
      "requiredDropCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "Array",
        "metadata": {
          "displayName": "The list of capabilities that must be dropped by a container"
        },
        "defaultValue": [
          "[]"
        ]
      },
      "effect-511f5417-5d12-434d-ab2e-816901e72a5e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed AppArmor profiles",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces-511f5417-5d12-434d-ab2e-816901e72a5e": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespaces excluded from evaluation of policy: Kubernetes cluster containers should only use allowed AppArmor profiles",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "allowedProfiles-511f5417-5d12-434d-ab2e-816901e72a5e": {
        "type": "Array",
        "metadata": {
          "displayName": "The list of AppArmor profiles that containers are allowed to use",
          "description": "Ex: 'runtime/default;docker/default'; provide empty list as input to block everything"
        },
        "defaultValue": [
          "[]"
        ]
      },
      "effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pods should only use approved host network and port range",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespaces excluded from evaluation of policy: Kubernetes cluster pods should only use approved host network and port range",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Allow host network usage for Kubernetes cluster pods",
          "description": "Set this value to true if pod is allowed to use host network, otherwise set to false"
        },
        "defaultValue": false
      },
      "minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Integer",
        "metadata": {
          "displayName": "Minimum value in the allowable host port range that pods can use in the host network namespace"
        },
        "defaultValue": 0
      },
      "maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Integer",
        "metadata": {
          "displayName": "Maximum value in the allowable host port range that pods can use in the host network namespace"
        },
        "defaultValue": 0
      },
      "effect-098fc59e-46c7-4d99-9b16-64990e543d75": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pod hostPath volumes should only use allowed host paths",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces-098fc59e-46c7-4d99-9b16-64990e543d75": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespaces excluded from evaluation of policy: Kubernetes cluster pod hostPath volumes should only use allowed host paths",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "allowedHostPaths-098fc59e-46c7-4d99-9b16-64990e543d75": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed host paths for pod hostPath volumes to use",
          "description": "Provide an empty paths list to block all host paths"
        },
        "defaultValue": {
          "paths": []
        }
      },
      "effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities in security configuration on your machines should be remediated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e8cbc669-f12d-49eb-93e7-9273119e9933": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities in container security configurations should be remediated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability assessment should be enabled on your SQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability assessment should be enabled on SQL Managed Instance",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-501541f7-f7e7-4cd6-868c-4190fdad3ac9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: A vulnerability assessment solution should be enabled on your virtual machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-760a85ff-6162-42b3-8d70-698e268f648c": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Effect for policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution",
          "description": "For more information about effects, visit https://aka.ms/policyeffects",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "effect-feedbf84-6b99-488c-acc2-71c829aa5ffc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities on your SQL databases should be remediated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-5f0f936f-2f01-4bf5-b6be-d423792fa562": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities in Azure Container Registry images should be remediated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-86b3d65f-7626-441e-b690-81a8b71cff60": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: System updates should be installed on your machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the API app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "PHPLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest PHP version for App Services",
          "description": "Latest supported PHP version for App Services"
        },
        "defaultValue": "7.3"
      },
      "effect-7261b898-8a84-4db8-9e04-18527132abb3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the WEB app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-496223c3-ad65-4ecd-878a-bae78737e9ed": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Web app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "JavaLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest Java version for App Services",
          "description": "Latest supported Java version for App Services"
        },
        "defaultValue": "11"
      },
      "effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Function app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-88999f4c-376a-45c8-bcb3-4058f713cf39": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the API app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7008174a-fd10-4ef0-817e-fc820a951d73": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Web app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "LinuxPythonLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest Python version for Linux for App Services",
          "description": "Latest supported Python version for App Services"
        },
        "defaultValue": "3.8"
      },
      "effect-7238174a-fd10-4ef0-817e-fc820a951d73": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Function app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-74c3584d-afae-46f7-a20a-6f8adba71a16": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the API app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-fb893a29-21bb-418c-a157-e99480ec364c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-af6cd1bd-1635-48cb-bde7-5b15693900b9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Monitor missing Endpoint Protection in Azure Security Center",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-26a828e1-e88f-464e-bbb3-c134a282b9de": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Endpoint protection solution should be installed on virtual machine scale sets",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "IncludeArcMachines-bed48b13-6647-468e-aa2f-1af1d3f4dd40": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating policy: Audit Windows machines on which Windows Defender Exploit Guard is not enabled",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40": {
        "type": "String",
        "metadata": {
          "displayName": "Compliance status to report for Windows servers where Windows Defender Exploit Guard is not supported"
        },
        "allowedValues": [
          "Compliant",
          "Non-Compliant"
        ],
        "defaultValue": "Compliant"
      },
      "effect-bed48b13-6647-468e-aa2f-1af1d3f4dd40": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Audit Windows machines on which Windows Defender Exploit Guard is not enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-d38fc420-0735-4ef3-ac11-c806f651a570": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Long-term geo-redundant backup should be enabled for Azure SQL Databases",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-82339799-d096-41ae-8538-b108becf0970": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for MySQL",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-48af4db5-9b8b-401c-8e74-076be876a430": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for PostgreSQL",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0ec47710-77ff-4a3d-9181-6aa50af424d0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for MariaDB",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-013e242c-8828-4970-87b3-ab247555486d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Backup should be enabled for Virtual Machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key vault should have soft delete enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key vault should have purge protection enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "subnetsShouldBeAssociatedWithANetworkSecurityGroup",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e71308d3-144b-4262-b144-efdc3cc90517')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "internetFacingVirtualMachinesShouldBeProtectedWithNetworkSecurityGroups",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "iPForwardingOnYourVirtualMachineShouldBeDisabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-bd352bd5-2853-4985-bf0d-73806b4a5744')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "managementPortsShouldBeClosedOnYourVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-22730e10-96f6-4aac-ad84-9383d35b5917')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "managementPortsOfVirtualMachinesShouldBeProtectedWithJustInTimeNetworkAccessControl",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "allInternetTrafficShouldBeRoutedViaYourDeployedAzureFirewall",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fc5e4038-4584-4632-8c85-c0448d374b2c')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4",
          "Azure_Security_Benchmark_v2.0_NS-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "storageAccountsShouldRestrictNetworkAccess",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-34c877ad-507e-4c82-993e-3452a6e0ad3c')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "authorizedIPRangesShouldBeDefinedOnKubernetesServices",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0e246bcf-5f6f-4f87-bc6f-775d4712c7ea')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "adaptiveNetworkHardeningRecommendationsShouldBeAppliedOnInternetFacingVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-08e6af2d-db70-460a-bfe9-d5bd474ba9d6')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "firewallShouldBeEnabledOnKeyVault",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-55615ac9-af46-4a59-874e-391cc3dfb490')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureCosmosDBAccountsShouldHaveFirewallRules",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "cognitiveServicesAccountsShouldRestrictNetworkAccess",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-037eea7a-bd0a-46c5-9a66-03aea78705d3')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForCognitiveServicesAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "1b8ca024-1d5c-4dec-8995-b1a932b41780",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "storageAccountsShouldRestrictNetworkAccessUsingVirtualNetworkRules",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "containerRegistriesShouldNotAllowUnrestrictedNetworkAccess",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d0793b48-0edc-4296-a390-4c75d1bdfd71')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForPostgresqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b52376f7-9612-48a1-81cd-1ffe4b61032c')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForMysqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d9844e8a-1437-4aeb-a32c-0c992f056095')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForMariadbServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fdccbe47-f3e3-4213-ad5d-ea459b2fa077')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "aPIManagementServicesShouldUseAVirtualNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b')]"
          },
          "evaluatedSkuNames": {
            "value": "[parameters('evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "privateEndpointShouldBeEnabledForPostgresqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0564d078-92f5-4f97-8398-b9f58a51f70b')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "privateEndpointShouldBeEnabledForMariadbServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0a1302fb-a631-4106-9753-f3d494733990')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "privateEndpointShouldBeEnabledForMysqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7595c971-233d-4bcf-bd18-596129188c49')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "vMImageBuilderTemplatesShouldUsePrivateLink",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2154edb9-244f-4741-9970-660785bccdaa')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureMachineLearningWorkspacesShouldUsePrivateLink",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-40cec1dd-a100-4920-b15b-3024fe8901ab')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureEventGridTopicsShouldUsePrivateLink",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4b90e17e-8448-49db-875e-bd83fb6f804f')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureSignalrServiceShouldUsePrivateLink",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-53503636-bcc9-4748-9663-5348217f160f')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "privateEndpointShouldBeConfiguredForKeyVault",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5f0bc445-3935-4915-9981-011aa2b46147')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "storageAccountShouldUseAPrivateLinkConnection",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6edd7eda-6dd8-40f7-810d-67160c639cd9')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "7698e800-9299-47a6-b3b6-5a0fee576eed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed",
        "parameters": {},
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureEventGridDomainsShouldUsePrivateLink",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9830b652-8523-49cc-b1b3-e17dce1127ca')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "appConfigurationShouldUsePrivateLink",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ca610c1d-041c-4332-9d88-7ed3094967c7')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "containerRegistriesShouldUsePrivateLink",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e8eef0a8-67cf-4eb4-9386-14b0e78733d4')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureCacheForRedisShouldResideWithinAVirtualNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7d092e0a-7acd-40d2-a975-dca21cae48c4')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureSpringCloudShouldUseNetworkInjection",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-af35e2a4-ef96-44e7-a9ae-853dd97032c4')]"
          },
          "evaluatedSkuNames": {
            "value": "[parameters('evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureDdosProtectionStandardShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a7aca53f-2ed4-4466-a25e-0b45ade68efd')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "sSHAccessFromTheInternetShouldBeBlocked",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "rDPAccessFromTheInternetShouldBeBlocked",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e372f825-a257-4fb8-9175-797a8a8627d6')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "webApplicationFirewallWAFShouldBeEnabledForAzureFrontDoorServiceService",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "webApplicationFirewallWAFShouldBeEnabledForApplicationGateway",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "anAzureActiveDirectoryAdministratorShouldBeProvisionedForSQLServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1f314764-cb73-4fc9-b863-8eca98ac36e9')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "managedIdentityShouldBeUsedInYourFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0da106f2-4ca3-48e8-bc85-c638fe6aea8f')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-1",
          "Azure_Security_Benchmark_v2.0_IM-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "managedIdentityShouldBeUsedInYourWebApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2b9ad585-36bc-4615-b300-fd4435808332')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-1",
          "Azure_Security_Benchmark_v2.0_IM-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "managedIdentityShouldBeUsedInYourAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c4d441f8-f9d9-4a9e-9cef-e82117cb3eef')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-1",
          "Azure_Security_Benchmark_v2.0_IM-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "servicePrincipalsShouldBeUsedToProtectYourSubscriptionsInsteadOfManagementCertificates",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6646a0bd-e110-40ca-bb97-84fcee63c414')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "mFAShouldBeEnabledOnAccountsWithOwnerPermissionsOnYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-aa633080-8b72-40c4-a2d7-d00c03e80bed')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "mFAShouldBeEnabledAccountsWithWritePermissionsOnYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9297c21d-2ed6-4474-b48f-163f75654ce3')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "mFAShouldBeEnabledOnAccountsWithReadPermissionsOnYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e3576e28-8b17-4677-84c3-db2990658d64')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "aMaximumOf3OwnersShouldBeDesignatedForYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4f11b553-d42e-4e3a-89be-32ca364cad4c')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "thereShouldBeMoreThanOneOwnerAssignedToYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f8456c1c-aa66-4dfb-861a-25d127b775c9')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-1",
          "Azure_Security_Benchmark_v2.0_PA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "deprecatedAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-1",
          "Azure_Security_Benchmark_v2.0_PA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "deprecatedAccountsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "externalAccountsWithReadPermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "externalAccountsWithWritePermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "roleBasedAccessControlRBACShouldBeUsedOnKubernetesServices",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditUsageOfCustomRBACRules",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "customSubscriptionOwnerRolesShouldNotExist",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "sensitiveDataInYourSQLDatabasesShouldBeClassified",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "storageAccountPublicAccessShouldBeDisallowed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureDefenderForStorageShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-2",
          "Azure_Security_Benchmark_v2.0_DP-3",
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureDefenderForSQLServersOnMachinesShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6581d072-105e-4418-827f-bd446d56421b')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-2",
          "Azure_Security_Benchmark_v2.0_DP-3",
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureDefenderForAzureSQLDatabaseServersShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-2",
          "Azure_Security_Benchmark_v2.0_DP-3",
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "advancedDataSecurityShouldBeEnabledOnSQLManagedInstance",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-2",
          "Azure_Security_Benchmark_v2.0_DP-3",
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "transparentDataEncryptionOnSQLDatabasesShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-17k78e20-9358-41c9-923c-fb736d382a12')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-2",
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "diskEncryptionShouldBeAppliedOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0961003e-5a0a-4549-abde-af6a37f2724d')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-2",
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "secureTransferToStorageAccountsShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-404c3081-a854-4457-ae30-26a93ef643f9')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "latestTLSVersionShouldBeUsedInYourAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "latestTLSVersionShouldBeUsedInYourWebApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "latestTLSVersionShouldBeUsedInYourFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f9d614c5-c173-4d56-95a7-b4437057d193')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppShouldOnlyBeAccessibleOverHTTPS",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "webApplicationShouldOnlyBeAccessibleOverHTTPS",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a4af4a39-4135-47fb-b175-47fbdf85311d')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "aPIAppShouldOnlyBeAccessibleOverHTTPS",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "enforceSSLConnectionShouldBeEnabledForMysqlDatabaseServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "enforceSSLConnectionShouldBeEnabledForPostgresqlDatabaseServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "onlySecureConnectionsToYourAzureCacheForRedisShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "fTPSOnlyShouldBeRequiredInYourFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-399b2637-a50f-4f95-96f8-3a145476eb15')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "fTPSShouldBeRequiredInYourWebApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "fTPSOnlyShouldBeRequiredInYourAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9a1b8c48-453a-4044-86c3-d8bfd823e4f5')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "enforceHTTPSIngressInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines-5752e6d6-1206-46d8-8ab1-ecc2f71a8112')]"
          },
          "MinimumTLSVersion": {
            "value": "[parameters('MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "sQLServersShouldUseCustomerManagedKeysToEncryptDataAtRest",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "sQLManagedInstancesShouldUseCustomerManagedKeysToEncryptDataAtRest",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-048248b0-55cd-46da-b1ff-39efd52db260')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "automationAccountVariablesShouldBeEncrypted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3657f5a0-770e-44a3-b44e-9431ba1e9735')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "serviceFabricClustersShouldHaveTheClusterprotectionlevelPropertySetToEncryptandsign",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-617c02be-7f02-4efd-8836-3180d47b6c68')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureCosmosDBAccountsShouldUseCustomerManagedKeysToEncryptDataAtRest",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "containerRegistriesShouldBeEncryptedWithACustomerManagedKeyCMK",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "cognitiveServicesAccountsShouldEnableDataEncryptionWithACustomerManagedKeyCMK",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "storageAccountsShouldUseCustomerManagedKeyCMKForEncryption",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6fac406b-40ca-413b-bf8e-0bf964659c25')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureMachineLearningWorkspacesShouldBeEncryptedWithACustomerManagedKeyCMK",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "bringYourOwnKeyDataProtectionShouldBeEnabledForPostgresqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-18adea5e-f416-4d0f-8aa8-d24321e3e274')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "bringYourOwnKeyDataProtectionShouldBeEnabledForMysqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-83cef61d-dbd1-4b20-a4fc-5fbc7da10833')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "virtualMachinesShouldBeMigratedToNewAzureResourceManagerResources",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_AM-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "storageAccountsShouldBeMigratedToNewAzureResourceManagerResources",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_AM-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "adaptiveApplicationControlsForDefiningSafeApplicationsShouldBeEnabledOnYourMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-47a6b606-51aa-4496-8bb7-64b11cf66adc')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_AM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureDefenderForKeyVaultShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0e6763cc-5078-4e64-889d-ff4d9a839047')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureDefenderForAppServiceShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2913021d-f2fd-4f3d-b958-22354e2bdbcb')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureDefenderForServersShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5",
          "Azure_Security_Benchmark_v2.0_ES-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureDefenderForKubernetesShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-523b5cd1-3e23-492f-a539-13118b6d1e3a')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureDefenderForContainerRegistriesShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "networkTrafficDataCollectionAgentShouldBeInstalledOnWindowsVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2f2ee1de-44aa-4762-b6bd-0893fc3f306d')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "networkTrafficDataCollectionAgentShouldBeInstalledOnLinuxVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-04c4380f-3fae-46e8-96c9-30193528f602')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "networkWatcherShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "parameters": {
          "resourceGroupName": {
            "value": "[parameters('resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticLogsInAzureDataLakeStoreShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-057ef27e-665e-4328-8ea3-04b3122bd9fb')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays-057ef27e-665e-4328-8ea3-04b3122bd9fb')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticLogsInLogicAppsShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-34f95f76-5386-4de7-b824-0d8478470c9d')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays-34f95f76-5386-4de7-b824-0d8478470c9d')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticLogsInIotHubShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-383856f8-de7f-44a2-81fc-e5135b5c2aa4')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays-383856f8-de7f-44a2-81fc-e5135b5c2aa4')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticLogsInBatchAccountsShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-428256e6-1fac-4f48-a757-df34c2b3336d')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays-428256e6-1fac-4f48-a757-df34c2b3336d')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticLogsInVirtualMachineScaleSetsShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7c1b1214-f927-48bf-8882-84f0af6588b1')]"
          },
          "includeAKSClusters": {
            "value": "[parameters('includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticLogsInEventHubShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-83a214f7-d01a-484b-91a9-ed54470c9a6a')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays-83a214f7-d01a-484b-91a9-ed54470c9a6a')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticLogsInSearchServicesShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b4330a05-a843-4bc8-bf9a-cacce50c67f4')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays-b4330a05-a843-4bc8-bf9a-cacce50c67f4')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticLogsInAppServicesShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticLogsInDataLakeAnalyticsShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c95c74d9-38fe-4f0d-af86-0c7d626a315c')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays-c95c74d9-38fe-4f0d-af86-0c7d626a315c')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticLogsInKeyVaultShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-cf820ca0-f99e-4f3e-84fb-66e913812d21')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays-cf820ca0-f99e-4f3e-84fb-66e913812d21')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticLogsInServiceBusShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f8d36e2f-389b-4ee4-898d-21aeb69a0f45')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays-f8d36e2f-389b-4ee4-898d-21aeb69a0f45')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticLogsInAzureStreamAnalyticsShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f9be5368-9bf5-4b84-9e0a-7850da98bb46')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays-f9be5368-9bf5-4b84-9e0a-7850da98bb46')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditingOnSQLServerShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9')]"
          },
          "setting": {
            "value": "[parameters('setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "logAnalyticsAgentShouldBeInstalledOnYourVirtualMachineForAzureSecurityCenterMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a4fe33eb-e377-4efb-ab31-0784311bc499')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "logAnalyticsAgentShouldBeInstalledOnYourVirtualMachineScaleSetsForAzureSecurityCenterMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a3a6ea0c-e018-4933-9ef0-5aaa1501449b')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "autoProvisioningOfTheLogAnalyticsAgentShouldBeEnabledOnYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-475aae12-b88a-4572-8b36-9b712b2b3a17')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "logAnalyticsAgentHealthIssuesShouldBeResolvedOnYourMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d62cfe2b-3ab0-4d41-980d-76803b58ca65')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "logAnalyticsAgentShouldBeInstalledOnYourLinuxAzureArcMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-842c54e8-c2f9-4d79-ae8d-38d8b8019373')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "logAnalyticsAgentShouldBeInstalledOnYourWindowsAzureArcMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "subscriptionsShouldHaveAContactEmailAddressForSecurityIssues",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "emailNotificationForHighSeverityAlertsShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6e2593d9-add6-4083-9c9b-4b7d2188c899')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "emailNotificationToSubscriptionOwnerForHighSeverityAlertsShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0b15565f-aa9e-48ba-8619-45960f2c314d')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "cORSShouldNotAllowEveryResourceToAccessYourWebApplications",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "cORSShouldNotAllowEveryResourceToAccessYourFunctionApps",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "cORSShouldNotAllowEveryResourceToAccessYourAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "remoteDebuggingShouldBeTurnedOffForWebApplications",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "remoteDebuggingShouldBeTurnedOffForFunctionApps",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "remoteDebuggingShouldBeTurnedOffForAPIApps",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureAPIAppHasClientCertificatesIncomingClientCertificatesSetToOn",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0c192fe8-9cbb-4516-85b3-0ade8bd03886')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppsShouldHaveClientCertificatesIncomingClientCertificatesEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-eaebaea7-8013-4ceb-9d14-7eb32271373c')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureWEBAppHasClientCertificatesIncomingClientCertificatesSetToOn",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5bb220d9-2698-4ee4-8404-b9c30c9df609')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "azurePolicyAddOnForKubernetesServiceAKSShouldBeInstalledAndEnabledOnYourClusters",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0a15ec92-a229-4763-bb14-0ea34a568f8d')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureOnlyAllowedContainerImagesInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469",
        "parameters": {
          "allowedContainerImagesRegex": {
            "value": "[parameters('allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469')]"
          },
          "effect": {
            "value": "[parameters('effect-febd0533-8e55-448f-b837-bd0e06f16469')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces-febd0533-8e55-448f-b837-bd0e06f16469')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "doNotAllowPrivilegedContainersInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-95edb821-ddaf-4404-9732-666045e056b4')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces-95edb821-ddaf-4404-9732-666045e056b4')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureContainersListenOnlyOnAllowedPortsInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc",
        "parameters": {
          "allowedContainerPortsList": {
            "value": "[parameters('allowedContainerPortsList-440b515e-a580-421e-abeb-b159a61ddcbc')]"
          },
          "effect": {
            "value": "[parameters('effect-440b515e-a580-421e-abeb-b159a61ddcbc')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces-440b515e-a580-421e-abeb-b159a61ddcbc')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureServicesListenOnlyOnAllowedPortsInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44",
        "parameters": {
          "allowedServicePortsList": {
            "value": "[parameters('allowedServicePortsList-233a2a17-77ca-4fb1-9b6b-69223d272a44')]"
          },
          "effect": {
            "value": "[parameters('effect-233a2a17-77ca-4fb1-9b6b-69223d272a44')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces-233a2a17-77ca-4fb1-9b6b-69223d272a44')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "kubernetesClustersShouldNotAllowContainerPrivilegeEscalation",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureContainerCPUAndMemoryResourceLimitsDoNotExceedTheSpecifiedLimitsInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164",
        "parameters": {
          "cpuLimit": {
            "value": "[parameters('cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          },
          "memoryLimit": {
            "value": "[parameters('memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          },
          "effect": {
            "value": "[parameters('effect-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "kubernetesClusterPodsAndContainersShouldOnlyRunWithApprovedUserAndGroupIds",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "runAsUserRule": {
            "value": "MustRunAsNonRoot"
          },
          "runAsUserRanges": {
            "value": {
              "ranges": []
            }
          },
          "runAsGroupRule": {
            "value": "MayRunAs"
          },
          "runAsGroupRanges": {
            "value": {
              "ranges": [
                {
                  "min": 1,
                  "max": 65535
                }
              ]
            }
          },
          "supplementalGroupsRule": {
            "value": "MayRunAs"
          },
          "supplementalGroupsRanges": {
            "value": {
              "ranges": [
                {
                  "min": 1,
                  "max": 65535
                }
              ]
            }
          },
          "fsGroupRule": {
            "value": "MayRunAs"
          },
          "fsGroupRanges": {
            "value": {
              "ranges": [
                {
                  "min": 1,
                  "max": 65535
                }
              ]
            }
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "kubernetesClusterContainersShouldNotShareHostProcessIDOrHostIPCNamespace",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "kubernetesClusterContainersShouldRunWithAReadOnlyRootFileSystem",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-df49d893-a74c-421d-bc95-c663042e5b80')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces-df49d893-a74c-421d-bc95-c663042e5b80')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "kubernetesClusterContainersShouldOnlyUseAllowedCapabilities",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          },
          "allowedCapabilities": {
            "value": "[parameters('allowedCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          },
          "requiredDropCapabilities": {
            "value": "[parameters('requiredDropCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "kubernetesClusterContainersShouldOnlyUseAllowedApparmorProfiles",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-511f5417-5d12-434d-ab2e-816901e72a5e')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces-511f5417-5d12-434d-ab2e-816901e72a5e')]"
          },
          "allowedProfiles": {
            "value": "[parameters('allowedProfiles-511f5417-5d12-434d-ab2e-816901e72a5e')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "kubernetesClusterPodsShouldOnlyUseApprovedHostNetworkAndPortRange",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "allowHostNetwork": {
            "value": "[parameters('allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "minPort": {
            "value": "[parameters('minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "maxPort": {
            "value": "[parameters('maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "kubernetesClusterPodHostpathVolumesShouldOnlyUseAllowedHostPaths",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-098fc59e-46c7-4d99-9b16-64990e543d75')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces-098fc59e-46c7-4d99-9b16-64990e543d75')]"
          },
          "allowedHostPaths": {
            "value": "[parameters('allowedHostPaths-098fc59e-46c7-4d99-9b16-64990e543d75')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilitiesInContainerSecurityConfigurationsShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e8cbc669-f12d-49eb-93e7-9273119e9933')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentShouldBeEnabledOnYourSQLServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentShouldBeEnabledOnSQLManagedInstance",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "aVulnerabilityAssessmentSolutionShouldBeEnabledOnYourVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-501541f7-f7e7-4cd6-868c-4190fdad3ac9')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilitiesOnYourSQLDatabasesShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-feedbf84-6b99-488c-acc2-71c829aa5ffc')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilitiesInAzureContainerRegistryImagesShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5f0f936f-2f01-4bf5-b6be-d423792fa562')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "systemUpdatesShouldBeInstalledOnYourMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-86b3d65f-7626-441e-b690-81a8b71cff60')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "systemUpdatesOnVirtualMachineScaleSetsShouldBeInstalled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba')]"
          },
          "PHPLatestVersion": {
            "value": "[parameters('PHPLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheWEBApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7261b898-8a84-4db8-9e04-18527132abb3')]"
          },
          "PHPLatestVersion": {
            "value": "[parameters('PHPLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheWebApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-496223c3-ad65-4ecd-878a-bae78737e9ed')]"
          },
          "JavaLatestVersion": {
            "value": "[parameters('JavaLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc')]"
          },
          "JavaLatestVersion": {
            "value": "[parameters('JavaLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-88999f4c-376a-45c8-bcb3-4058f713cf39')]"
          },
          "JavaLatestVersion": {
            "value": "[parameters('JavaLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheWebApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7008174a-fd10-4ef0-817e-fc820a951d73')]"
          },
          "LinuxPythonLatestVersion": {
            "value": "[parameters('LinuxPythonLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7238174a-fd10-4ef0-817e-fc820a951d73')]"
          },
          "LinuxPythonLatestVersion": {
            "value": "[parameters('LinuxPythonLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-74c3584d-afae-46f7-a20a-6f8adba71a16')]"
          },
          "LinuxPythonLatestVersion": {
            "value": "[parameters('LinuxPythonLatestVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "kubernetesServicesShouldBeUpgradedToANonVulnerableKubernetesVersion",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fb893a29-21bb-418c-a157-e99480ec364c')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "monitorMissingEndpointProtectionInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-af6cd1bd-1635-48cb-bde7-5b15693900b9')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_ES-2",
          "Azure_Security_Benchmark_v2.0_ES-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-26a828e1-e88f-464e-bbb3-c134a282b9de')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_ES-2",
          "Azure_Security_Benchmark_v2.0_ES-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditWindowsMachinesOnWhichWindowsDefenderExploitGuardIsNotEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines-bed48b13-6647-468e-aa2f-1af1d3f4dd40')]"
          },
          "NotAvailableMachineState": {
            "value": "[parameters('NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40')]"
          },
          "effect": {
            "value": "[parameters('effect-bed48b13-6647-468e-aa2f-1af1d3f4dd40')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_ES-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "longTermGeoRedundantBackupShouldBeEnabledForAzureSQLDatabases",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d38fc420-0735-4ef3-ac11-c806f651a570')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_BR-1",
          "Azure_Security_Benchmark_v2.0_BR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "geoRedundantBackupShouldBeEnabledForAzureDatabaseForMysql",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-82339799-d096-41ae-8538-b108becf0970')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_BR-1",
          "Azure_Security_Benchmark_v2.0_BR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgresql",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-48af4db5-9b8b-401c-8e74-076be876a430')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_BR-1",
          "Azure_Security_Benchmark_v2.0_BR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariadb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0ec47710-77ff-4a3d-9181-6aa50af424d0')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_BR-1",
          "Azure_Security_Benchmark_v2.0_BR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureBackupShouldBeEnabledForVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-013e242c-8828-4970-87b3-ab247555486d')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_BR-1",
          "Azure_Security_Benchmark_v2.0_BR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "keyVaultsShouldHaveSoftDeleteEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_BR-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "keyVaultsShouldHavePurgeProtectionEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_BR-4"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "Azure_Security_Benchmark_v2.0_NS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_NS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_NS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_NS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_NS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_NS-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_NS-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-7"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-7"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-8"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-7"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-8"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_DP-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_DP-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_DP-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_DP-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_DP-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_AM-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_AM-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_AM-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_AM-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_AM-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_AM-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_LT-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_LT-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_LT-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_LT-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_LT-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_LT-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_LT-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-7"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IR-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IR-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IR-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IR-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IR-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IR-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-7"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-8"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_ES-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_ES-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_ES-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_ES-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_ES-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_ES-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_BR-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_BR-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_BR-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_BR-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-7"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-8"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/bb522ac1-bc39-4957-b194-429bcd3bcb0b",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "bb522ac1-bc39-4957-b194-429bcd3bcb0b"
}
BuiltIn Regulatory Compliance True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Deprecated]: DoD Impact Level 4",
    "policyType": "BuiltIn",
    "description": "This initiative includes policies that address a subset of DoD Impact Level 4 (IL4) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/dodil4-initiative.",
    "metadata": {
      "version": "6.1.1-deprecated",
      "category": "Regulatory Compliance",
      "deprecated": true
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating guest configuration policies",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine; for more information, visit https://aka.ms/policy-pricing"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "listOfAllowedLocationsForResourcesAndResourceGroups": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: Allowed locations for resources and resource groups",
          "description": "To see a complete list of regions use Get-AzLocation",
          "strongType": "location",
          "deprecated": true
        },
        "defaultValue": [
          "eastus"
        ]
      },
      "membersToIncludeInAdministratorsLocalGroup": {
        "type": "String",
        "metadata": {
          "displayName": "List of users that must be included in Windows VM Administrators group",
          "description": "A semicolon-separated list of users that should be included in the Administrators local group; Ex: Administrator; myUser1; myUser2"
        }
      },
      "membersToExcludeInAdministratorsLocalGroup": {
        "type": "String",
        "metadata": {
          "displayName": "List of users excluded from Windows VM Administrators group",
          "description": "A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2"
        }
      },
      "logAnalyticsWorkspaceIdForVMs": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace ID for VM agent reporting",
          "description": "ID (GUID) of the Log Analytics workspace where VMs agents should report"
        }
      },
      "listOfResourceTypes": {
        "type": "Array",
        "metadata": {
          "displayName": "List of resource types that should have resource logs enabled"
        },
        "allowedValues": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ],
        "defaultValue": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ]
      },
      "listOfLocations": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: List of regions where Network Watcher should be enabled",
          "description": "To see a complete list of regions use Get-AzLocation",
          "strongType": "location",
          "deprecated": true
        },
        "defaultValue": [
          "eastus"
        ]
      },
      "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability assessment should be enabled on SQL Managed Instance",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vulnerabilityAssessmentOnServerMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability assessment should be enabled on your SQL servers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vulnerabilityAssessmentOnVirtualMachinesEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerability Assessment should be enabled on Virtual Machines",
          "description": "Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment on Virtual Machines"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "geoRedundancyEnabledForStorageAccountsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Geo-redundant storage should be enabled for Storage Accounts",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "geoRedundancyEnabledForAzureDatabaseForMariaDBEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for MariaDB",
          "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "geoRedundancyEnabledForAzureDatabaseForMySQLEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for MySQL",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for PostgreSQL",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "adaptiveNetworkHardeningsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Adaptive network hardening recommendations should be applied on internet facing virtual machines",
          "description": "Enable or disable the monitoring of Internet-facing virtual machines for Network Security Group traffic hardening recommendations"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application should only be accessible over HTTPS",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "functionAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Function App should only be accessible over HTTPS",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with write permissions should be removed from your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with read permissions should be removed from your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with owner permissions should be removed from your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Deprecated accounts with owner permissions should be removed from your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveDeprecatedAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Deprecated accounts should be removed from your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppRestrictCORSAccessMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: CORS should not allow every resource to access your Web Applications",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vmssSystemUpdatesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForReadPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled on accounts with read permissions on your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled on accounts with owner permissions on your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForWritePermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled accounts with write permissions on your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Long-term geo-redundant backup should be enabled for Azure SQL Databases",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "AuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "auditVirtualMachinesWithoutDisasterRecoveryConfigured",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "auditUsageOfCustomRBACRules",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "auditUnrestrictedNetworkAccessToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "transparentDataEncryptionOnSqlDatabasesShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "advancedDataSecurityShouldBeEnabledOnYourSqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "auditSqlServerLevelAuditingSettings",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "advancedDataSecurityShouldBeEnabledOnYourManagedInstances",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "auditSecureTransferToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "OnlySecureConnectionsToYourRedisCacheShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "diskEncryptionShouldBeAppliedOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "systemUpdatesShouldBeInstalledOnYourMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "monitorMissingEndpointProtectionInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da0f98fe-a24b-4ad5-af69-bd0400233661",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmPasswordsMustBeAtLeast14Characters",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmEnforcesPasswordComplexityRequirements",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmMinimumPasswordAge1Day",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237b38db-ca4d-4259-9e47-7882441ca2c0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmMaximumPasswordAge70Days",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ceb8dc2-559c-478b-a15b-733fbf1e3738",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmShouldNotAllowPrevious24Passwords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditLinuxVmPasswdFilePermissions",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditLinuxVmAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "dDoSProtectionStandardShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "remoteDebuggingShouldBeTurnedOffForApiApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "remoteDebuggingShouldBeTurnedOffForWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "remoteDebuggingShouldBeTurnedOffForFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "thereShouldBeMoreThanOneOwnerAssignedToYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "aMaximumOf3OwnersShouldBeDesignatedForYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "apiAppShouldOnlyBeAccessibleOverHttps",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentOnManagedInstanceMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {
          "effect": {
            "value": "[parameters('vulnerabilityAssessmentOnManagedInstanceMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentOnServerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {
          "effect": {
            "value": "[parameters('vulnerabilityAssessmentOnServerMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "VulnerabilityAssessmentshouldbeenabledonVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {
          "effect": {
            "value": "[parameters('vulnerabilityAssessmentOnVirtualMachinesEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "geoRedundantStorageShouldBeEnabledForStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b",
        "parameters": {
          "effect": {
            "value": "[parameters('geoRedundancyEnabledForStorageAccountsEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0",
        "parameters": {
          "effect": {
            "value": "[parameters('geoRedundancyEnabledForAzureDatabaseForMariaDBEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970",
        "parameters": {
          "effect": {
            "value": "[parameters('geoRedundancyEnabledForAzureDatabaseForMySQLEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430",
        "parameters": {
          "effect": {
            "value": "[parameters('geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "TheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "membersToInclude": {
            "value": "[parameters('membersToIncludeInAdministratorsLocalGroup')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "membersToExclude": {
            "value": "[parameters('membersToExcludeInAdministratorsLocalGroup')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "auditDiagnosticSetting",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
        "parameters": {
          "listOfResourceTypes": {
            "value": "[parameters('listOfResourceTypes')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "adaptiveNetworkHardeningsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {
          "effect": {
            "value": "[parameters('adaptiveNetworkHardeningsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditLogAnalyticsWorkspaceForVmReportMismatch",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917",
        "parameters": {
          "logAnalyticsWorkspaceId": {
            "value": "[parameters('logAnalyticsWorkspaceIdForVMs')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "webAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {
          "effect": {
            "value": "[parameters('webAppEnforceHttpsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "functionAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {
          "effect": {
            "value": "[parameters('functionAppEnforceHttpsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveExternalAccountWithWritePermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithReadPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveExternalAccountWithReadPermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveDeprecatedAccountMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "webAppRestrictCORSAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {
          "effect": {
            "value": "[parameters('webAppRestrictCORSAccessMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {
          "effect": {
            "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {
          "effect": {
            "value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForReadPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {
          "effect": {
            "value": "[parameters('identityEnableMFAForReadPermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {
          "effect": {
            "value": "[parameters('identityEnableMFAForOwnerPermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "longtermGeoRedundantBackupEnabledAzureSQLDatabases",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570",
        "parameters": {
          "effect": {
            "value": "[parameters('longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vulnerabilitiesSecurityConfigurationsRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ensureHTTPVersionLatestForAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ensureHTTPVersionLatestForFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ensureHTTPVersionLatestForWebApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ensureJavaVersionLatestForAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ensureJavaVersionLatestForFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ensureJavaVersionLatestForWebApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ensurePHPVersionLatestForAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ensurePHPVersionLatestForWebApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ensurePythonVersionLatestForAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ensurePythonVersionLatestForFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ensurePythonVersionLatestForWebApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ensureTLSVersionLatestForAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ensureTLSVersionLatestForFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ensureTLSVersionLatestForWebApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "kubernetesServicesUpgradedToNonVulnerableKubernetesVersion",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "securityContactEmailAddressForSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "logAnalyticsAgentUnstalledVMScaleSets",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "logAnalyticsAgentUnstalledVMs",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "microsftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "NetworkWatcherShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "parameters": {}
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "8d792a84-723c-4d92-a3c3-e4ed16a2d133"
}
BuiltIn Regulatory Compliance True False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Preview]: Australian Government ISM PROTECTED",
    "policyType": "BuiltIn",
    "description": "This initiative includes policies that address a subset of Australian Government Information Security Manual (ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/auism-initiative.",
    "metadata": {
      "version": "5.0.0-preview",
      "category": "Regulatory Compliance",
      "preview": true
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating guest configuration policies",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine; for more information, visit https://aka.ms/policy-pricing"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "membersToExclude": {
        "type": "String",
        "metadata": {
          "displayName": "List of users that must be excluded from Windows VM Administrators group",
          "description": "A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2"
        }
      },
      "logAnalyticsWorkspaceId": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace ID for VM agent reporting",
          "description": "ID (GUID) of the Log Analytics workspace where VMs agents should report"
        }
      },
      "listOfResourceTypes": {
        "type": "Array",
        "metadata": {
          "displayName": "List of resource types that should have resource logs enabled",
          "strongType": "resourceTypes"
        }
      },
      "minimumTLSVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum TLS version for Windows web servers",
          "description": "Windows web servers with lower TLS versions will be assessed as non-compliant"
        },
        "allowedValues": [
          "1.2"
        ],
        "defaultValue": "1.2"
      },
      "enforcePasswordHistory": {
        "type": "String",
        "metadata": {
          "displayName": "Enforce password history for Windows VM local accounts",
          "description": "Specifies limits on password reuse - how many times a new password must be created for a user account before the password can be repeated"
        },
        "defaultValue": "24"
      },
      "maximumPasswordAge": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum password age for Windows VM local accounts",
          "description": "Specifies the maximum number of days that may elapse before a user account password must be changed; the format of the value is two integers separated by a comma, denoting an inclusive range"
        },
        "defaultValue": "1,70"
      },
      "minimumPasswordAge": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password age for Windows VM local accounts",
          "description": "Specifies the minimum number of days that must elapse before a user account password can be changed"
        },
        "defaultValue": "1"
      },
      "minimumPasswordLength": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password length for Windows VM local accounts",
          "description": "Specifies the minimum number of characters that a user account password may contain"
        },
        "defaultValue": "10"
      },
      "passwordMustMeetComplexityRequirements": {
        "type": "String",
        "metadata": {
          "displayName": "Password must meet complexity requirements for Windows VM local accounts",
          "description": "Specifies whether a user account password must be complex; if required, a complex password must not contain part of the user's account name or full name; be at least 6 characters long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters"
        },
        "allowedValues": [
          "0",
          "1"
        ],
        "defaultValue": "1"
      },
      "vulnerabilityAssessmentEmailSettingForReceivingScanReportsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "adaptiveNetworkHardeningsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Adaptive network hardening recommendations should be applied on internet facing virtual machines",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityDesignateMoreThanOneOwnerMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: There should be more than one owner assigned to your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diskEncryptionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Disk encryption should be applied on virtual machines",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "functionAppDisableRemoteDebuggingMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Remote debugging should be turned off for Function Apps",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlDbEncryptionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Transparent Data Encryption on SQL databases should be enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability assessment should be enabled on SQL Managed Instance",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "aadAuthenticationInSqlServerMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An Azure Active Directory administrator should be provisioned for SQL servers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInRedisCacheMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Only secure connections to your Azure Cache for Redis should be enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "vmssEndpointProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Endpoint protection solution should be installed on virtual machine scale sets",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "auditUnrestrictedNetworkToStorageAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "vmssOsVulnerabilitiesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "secureTransferToStorageAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Secure transfer to storage accounts should be enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "adaptiveApplicationControlsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Adaptive application controls for defining safe applications should be enabled on your machines",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityDesignateLessThanOwnersMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: A maximum of 3 owners should be designated for your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "serverVulnerabilityAssessmentEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: A vulnerability assessment solution should be enabled on your virtual machines",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppRestrictCORSAccessMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: CORS should not allow every resource to access your Web Applications",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with write permissions should be removed from your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveDeprecatedAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Deprecated accounts should be removed from your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "functionAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Function App should only be accessible over HTTPS",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "systemUpdatesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: System updates should be installed on your machines",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "apiAppRequireLatestTlsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Latest TLS version should be used in your API App",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForWritePermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled accounts with write permissions on your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "anitmalwareRequiredForWindowsServersEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Microsoft IaaSAntimalware extension should be deployed on Windows servers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application should only be accessible over HTTPS",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "vnetEnableDDoSProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure DDoS Protection Standard should be enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled on accounts with owner permissions on your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlServerAdvancedDataSecurityMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for SQL should be enabled for unprotected Azure SQL servers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlManagedInstanceAdvancedDataSecurityMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for SQL should be enabled for unprotected SQL Managed Instances",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "endpointProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Monitor missing Endpoint Protection in Azure Security Center",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "jitNetworkAccessMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Management ports of virtual machines should be protected with just-in-time network access control",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "aadAuthenticationInServiceFabricMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Service Fabric clusters should only use Azure Active Directory for client authentication",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "apiAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: API App should only be accessible over HTTPS",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "vmssSystemUpdatesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppDisableRemoteDebuggingMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Remote debugging should be turned off for Web Applications",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "systemConfigurationsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities in security configuration on your machines should be remediated",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForReadPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled on accounts with read permissions on your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "containerBenchmarkMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities in container security configurations should be remediated",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "apiAppDisableRemoteDebuggingMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Remote debugging should be turned off for API Apps",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Deprecated accounts with owner permissions should be removed from your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vulnerabilityAssessmentOnServerMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability assessment should be enabled on your SQL servers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppRequireLatestTlsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Latest TLS version should be used in your Web App",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "networkSecurityGroupsOnVirtualMachinesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Internet-facing virtual machines should be protected with network security groups",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with owner permissions should be removed from your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "functionAppRequireLatestTlsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Latest TLS version should be used in your Function App",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlDbVulnerabilityAssesmentMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: SQL databases should have vulnerability findings resolved",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "listOfImageIdToIncludeWindows": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: Optional: List of VM images that have supported Windows OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'",
          "deprecated": true
        },
        "defaultValue": []
      },
      "listOfImageIdToIncludeLinux": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: Optional: List of VM images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'",
          "deprecated": true
        },
        "defaultValue": []
      },
      "vulnerabilityAssessmentMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution",
          "description": "Enable or disable the detection of VM vulnerabilities by a vulnerability assessment solution",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "logProfilesForActivityLogEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Azure subscriptions should have a log profile for Activity Log",
          "description": "Enable or disable the monitoring of a log profile for Activity Log in subscription",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "auditVirtualMachinesWithoutDisasterRecoveryConfigured",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "parameters": {},
        "groupNames": [
          "AU_ISM_1511"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentEmailSettingForReceivingScanReports",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9",
        "parameters": {
          "effect": {
            "value": "[parameters('vulnerabilityAssessmentEmailSettingForReceivingScanReportsEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1144",
          "AU_ISM_1472",
          "AU_ISM_1494",
          "AU_ISM_1495",
          "AU_ISM_1496",
          "AU_ISM_940"
        ]
      },
      {
        "policyDefinitionReferenceId": "adaptiveNetworkHardeningsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {
          "effect": {
            "value": "[parameters('adaptiveNetworkHardeningsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1182"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityDesignateMoreThanOneOwnerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {
          "effect": {
            "value": "[parameters('identityDesignateMoreThanOneOwnerMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1503",
          "AU_ISM_1508"
        ]
      },
      {
        "policyDefinitionReferenceId": "diskEncryptionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {
          "effect": {
            "value": "[parameters('diskEncryptionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1425",
          "AU_ISM_459"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {
          "effect": {
            "value": "[parameters('functionAppDisableRemoteDebuggingMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1386"
        ]
      },
      {
        "policyDefinitionReferenceId": "AdministratorsGroupMembersToExclude",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MembersToExclude": {
            "value": "[parameters('membersToExclude')]"
          }
        },
        "groupNames": [
          "AU_ISM_1503",
          "AU_ISM_1507",
          "AU_ISM_1508",
          "AU_ISM_415",
          "AU_ISM_445"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlDbEncryptionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {
          "effect": {
            "value": "[parameters('sqlDbEncryptionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1425"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentOnManagedInstanceMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {
          "effect": {
            "value": "[parameters('vulnerabilityAssessmentOnManagedInstanceMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1144",
          "AU_ISM_1472",
          "AU_ISM_1494",
          "AU_ISM_1495",
          "AU_ISM_1496",
          "AU_ISM_940"
        ]
      },
      {
        "policyDefinitionReferenceId": "aadAuthenticationInSqlServerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {
          "effect": {
            "value": "[parameters('aadAuthenticationInSqlServerMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1260",
          "AU_ISM_1261",
          "AU_ISM_1262",
          "AU_ISM_1263",
          "AU_ISM_1264"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInRedisCacheMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInRedisCacheMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1277",
          "AU_ISM_1552"
        ]
      },
      {
        "policyDefinitionReferenceId": "vmssEndpointProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {
          "effect": {
            "value": "[parameters('vmssEndpointProtectionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1288",
          "AU_ISM_1417"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditLinuxVmAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "AU_ISM_1546"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditUnrestrictedNetworkToStorageAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {
          "effect": {
            "value": "[parameters('auditUnrestrictedNetworkToStorageAccountMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1182",
          "AU_ISM_1546",
          "AU_ISM_520"
        ]
      },
      {
        "policyDefinitionReferenceId": "vmssOsVulnerabilitiesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {
          "effect": {
            "value": "[parameters('vmssOsVulnerabilitiesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1144",
          "AU_ISM_1472",
          "AU_ISM_1494",
          "AU_ISM_1495",
          "AU_ISM_1496",
          "AU_ISM_940"
        ]
      },
      {
        "policyDefinitionReferenceId": "secureTransferToStorageAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {
          "effect": {
            "value": "[parameters('secureTransferToStorageAccountMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1277"
        ]
      },
      {
        "policyDefinitionReferenceId": "adaptiveApplicationControlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {
          "effect": {
            "value": "[parameters('adaptiveApplicationControlsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1490"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityDesignateLessThanOwnersMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {
          "effect": {
            "value": "[parameters('identityDesignateLessThanOwnersMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1503",
          "AU_ISM_1508"
        ]
      },
      {
        "policyDefinitionReferenceId": "serverVulnerabilityAssessment",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {
          "effect": {
            "value": "[parameters('serverVulnerabilityAssessmentEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1144",
          "AU_ISM_1472",
          "AU_ISM_1494",
          "AU_ISM_1495",
          "AU_ISM_1496",
          "AU_ISM_940"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppRestrictCORSAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {
          "effect": {
            "value": "[parameters('webAppRestrictCORSAccessMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1424"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveExternalAccountWithWritePermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_441"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveDeprecatedAccountMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_380",
          "AU_ISM_430",
          "AU_ISM_441"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {
          "effect": {
            "value": "[parameters('functionAppEnforceHttpsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1552"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditDiagnosticSetting",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
        "parameters": {
          "listOfResourceTypes": {
            "value": "[parameters('listOfResourceTypes')]"
          }
        },
        "groupNames": [
          "AU_ISM_1537",
          "AU_ISM_582"
        ]
      },
      {
        "policyDefinitionReferenceId": "systemUpdatesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {
          "effect": {
            "value": "[parameters('systemUpdatesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1407"
        ]
      },
      {
        "policyDefinitionReferenceId": "apiAppRequireLatestTlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {
          "effect": {
            "value": "[parameters('apiAppRequireLatestTlsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1139"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {
          "effect": {
            "value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1173",
          "AU_ISM_1384",
          "AU_ISM_414"
        ]
      },
      {
        "policyDefinitionReferenceId": "anitmalwareRequiredForWindowsServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257",
        "parameters": {
          "effect": {
            "value": "[parameters('anitmalwareRequiredForWindowsServersEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1288",
          "AU_ISM_1417"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {
          "effect": {
            "value": "[parameters('webAppEnforceHttpsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1552"
        ]
      },
      {
        "policyDefinitionReferenceId": "vnetEnableDDoSProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {
          "effect": {
            "value": "[parameters('vnetEnableDDoSProtectionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1431"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {
          "effect": {
            "value": "[parameters('identityEnableMFAForOwnerPermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1173",
          "AU_ISM_1384",
          "AU_ISM_414"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlServerAdvancedDataSecurityMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {
          "effect": {
            "value": "[parameters('sqlServerAdvancedDataSecurityMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1537"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlManagedInstanceAdvancedDataSecurityMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {
          "effect": {
            "value": "[parameters('sqlManagedInstanceAdvancedDataSecurityMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1537"
        ]
      },
      {
        "policyDefinitionReferenceId": "endpointProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {
          "effect": {
            "value": "[parameters('endpointProtectionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1288",
          "AU_ISM_1417"
        ]
      },
      {
        "policyDefinitionReferenceId": "jitNetworkAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {
          "effect": {
            "value": "[parameters('jitNetworkAccessMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1386",
          "AU_ISM_1508"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditWindowsTLS",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MinimumTLSVersion": {
            "value": "[parameters('minimumTLSVersion')]"
          }
        },
        "groupNames": [
          "AU_ISM_1139",
          "AU_ISM_1277"
        ]
      },
      {
        "policyDefinitionReferenceId": "aadAuthenticationInServiceFabricMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {
          "effect": {
            "value": "[parameters('aadAuthenticationInServiceFabricMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1546"
        ]
      },
      {
        "policyDefinitionReferenceId": "apiAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {
          "effect": {
            "value": "[parameters('apiAppEnforceHttpsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1552"
        ]
      },
      {
        "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {
          "effect": {
            "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1407"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {
          "effect": {
            "value": "[parameters('webAppDisableRemoteDebuggingMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1386"
        ]
      },
      {
        "policyDefinitionReferenceId": "systemConfigurationsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {
          "effect": {
            "value": "[parameters('systemConfigurationsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1144",
          "AU_ISM_1472",
          "AU_ISM_1494",
          "AU_ISM_1495",
          "AU_ISM_1496",
          "AU_ISM_940"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForReadPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {
          "effect": {
            "value": "[parameters('identityEnableMFAForReadPermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1384",
          "AU_ISM_414",
          "AU_ISM_947"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "parameters": {},
        "groupNames": [
          "AU_ISM_1139",
          "AU_ISM_1277",
          "AU_ISM_1503",
          "AU_ISM_1507",
          "AU_ISM_1508",
          "AU_ISM_1546",
          "AU_ISM_415",
          "AU_ISM_421",
          "AU_ISM_445"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "parameters": {},
        "groupNames": [
          "AU_ISM_1139",
          "AU_ISM_1277",
          "AU_ISM_1503",
          "AU_ISM_1507",
          "AU_ISM_1508",
          "AU_ISM_1546",
          "AU_ISM_415",
          "AU_ISM_421",
          "AU_ISM_445"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {},
        "groupNames": [
          "AU_ISM_1139",
          "AU_ISM_1277",
          "AU_ISM_1503",
          "AU_ISM_1507",
          "AU_ISM_1508",
          "AU_ISM_415",
          "AU_ISM_421",
          "AU_ISM_445"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "parameters": {},
        "groupNames": [
          "AU_ISM_1546"
        ]
      },
      {
        "policyDefinitionReferenceId": "AzureBaselineSecuritySettingsAccountPolicies",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f2143251-70de-4e81-87a8-36cee5a2f29d",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "EnforcePasswordHistory": {
            "value": "[parameters('enforcePasswordHistory')]"
          },
          "MaximumPasswordAge": {
            "value": "[parameters('maximumPasswordAge')]"
          },
          "MinimumPasswordAge": {
            "value": "[parameters('minimumPasswordAge')]"
          },
          "MinimumPasswordLength": {
            "value": "[parameters('minimumPasswordLength')]"
          },
          "PasswordMustMeetComplexityRequirements": {
            "value": "[parameters('passwordMustMeetComplexityRequirements')]"
          }
        },
        "groupNames": [
          "AU_ISM_421"
        ]
      },
      {
        "policyDefinitionReferenceId": "containerBenchmarkMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
        "parameters": {
          "effect": {
            "value": "[parameters('containerBenchmarkMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1144",
          "AU_ISM_1472",
          "AU_ISM_1494",
          "AU_ISM_1495",
          "AU_ISM_1496",
          "AU_ISM_940"
        ]
      },
      {
        "policyDefinitionReferenceId": "apiAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {
          "effect": {
            "value": "[parameters('apiAppDisableRemoteDebuggingMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1386"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_380",
          "AU_ISM_430",
          "AU_ISM_441"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "AU_ISM_1546"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentOnServerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {
          "effect": {
            "value": "[parameters('vulnerabilityAssessmentOnServerMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1144",
          "AU_ISM_1472",
          "AU_ISM_1494",
          "AU_ISM_1495",
          "AU_ISM_1496",
          "AU_ISM_940"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppRequireLatestTlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {
          "effect": {
            "value": "[parameters('webAppRequireLatestTlsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1139"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditLogAnalyticsWorkspaceForVmReportMismatch",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917",
        "parameters": {
          "logAnalyticsWorkspaceId": {
            "value": "[parameters('logAnalyticsWorkspaceId')]"
          }
        },
        "groupNames": [
          "AU_ISM_582"
        ]
      },
      {
        "policyDefinitionReferenceId": "networkSecurityGroupsOnVirtualMachinesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "parameters": {
          "effect": {
            "value": "[parameters('networkSecurityGroupsOnVirtualMachinesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1182"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_441"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppRequireLatestTlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {
          "effect": {
            "value": "[parameters('functionAppRequireLatestTlsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1139"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlDbVulnerabilityAssesmentMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {
          "effect": {
            "value": "[parameters('sqlDbVulnerabilityAssesmentMonitoringEffect')]"
          }
        },
        "groupNames": [
          "AU_ISM_1144",
          "AU_ISM_1472",
          "AU_ISM_1494",
          "AU_ISM_1495",
          "AU_ISM_1496",
          "AU_ISM_940"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "AU_ISM_100",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_100"
      },
      {
        "name": "AU_ISM_1000",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1000"
      },
      {
        "name": "AU_ISM_1001",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1001"
      },
      {
        "name": "AU_ISM_1006",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1006"
      },
      {
        "name": "AU_ISM_1013",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1013"
      },
      {
        "name": "AU_ISM_1014",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1014"
      },
      {
        "name": "AU_ISM_1015",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1015"
      },
      {
        "name": "AU_ISM_1019",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1019"
      },
      {
        "name": "AU_ISM_1023",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1023"
      },
      {
        "name": "AU_ISM_1024",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1024"
      },
      {
        "name": "AU_ISM_1026",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1026"
      },
      {
        "name": "AU_ISM_1027",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1027"
      },
      {
        "name": "AU_ISM_1028",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1028"
      },
      {
        "name": "AU_ISM_1030",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1030"
      },
      {
        "name": "AU_ISM_1034",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1034"
      },
      {
        "name": "AU_ISM_1036",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1036"
      },
      {
        "name": "AU_ISM_1037",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1037"
      },
      {
        "name": "AU_ISM_1039",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1039"
      },
      {
        "name": "AU_ISM_1053",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1053"
      },
      {
        "name": "AU_ISM_1055",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1055"
      },
      {
        "name": "AU_ISM_1058",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1058"
      },
      {
        "name": "AU_ISM_1059",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1059"
      },
      {
        "name": "AU_ISM_1065",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1065"
      },
      {
        "name": "AU_ISM_1067",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1067"
      },
      {
        "name": "AU_ISM_1071",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1071"
      },
      {
        "name": "AU_ISM_1073",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1073"
      },
      {
        "name": "AU_ISM_1074",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1074"
      },
      {
        "name": "AU_ISM_1075",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1075"
      },
      {
        "name": "AU_ISM_1076",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1076"
      },
      {
        "name": "AU_ISM_1078",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1078"
      },
      {
        "name": "AU_ISM_1079",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1079"
      },
      {
        "name": "AU_ISM_1080",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1080"
      },
      {
        "name": "AU_ISM_1082",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1082"
      },
      {
        "name": "AU_ISM_1083",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1083"
      },
      {
        "name": "AU_ISM_1084",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1084"
      },
      {
        "name": "AU_ISM_1085",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1085"
      },
      {
        "name": "AU_ISM_1088",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1088"
      },
      {
        "name": "AU_ISM_1089",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1089"
      },
      {
        "name": "AU_ISM_109",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_109"
      },
      {
        "name": "AU_ISM_1091",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1091"
      },
      {
        "name": "AU_ISM_1092",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1092"
      },
      {
        "name": "AU_ISM_1095",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1095"
      },
      {
        "name": "AU_ISM_1096",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1096"
      },
      {
        "name": "AU_ISM_1098",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1098"
      },
      {
        "name": "AU_ISM_1100",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1100"
      },
      {
        "name": "AU_ISM_1101",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1101"
      },
      {
        "name": "AU_ISM_1102",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1102"
      },
      {
        "name": "AU_ISM_1103",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1103"
      },
      {
        "name": "AU_ISM_1104",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1104"
      },
      {
        "name": "AU_ISM_1105",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1105"
      },
      {
        "name": "AU_ISM_1107",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1107"
      },
      {
        "name": "AU_ISM_1109",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1109"
      },
      {
        "name": "AU_ISM_1111",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1111"
      },
      {
        "name": "AU_ISM_1112",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1112"
      },
      {
        "name": "AU_ISM_1114",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1114"
      },
      {
        "name": "AU_ISM_1115",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1115"
      },
      {
        "name": "AU_ISM_1116",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1116"
      },
      {
        "name": "AU_ISM_1118",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1118"
      },
      {
        "name": "AU_ISM_1119",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1119"
      },
      {
        "name": "AU_ISM_1122",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1122"
      },
      {
        "name": "AU_ISM_1123",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1123"
      },
      {
        "name": "AU_ISM_1126",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1126"
      },
      {
        "name": "AU_ISM_1130",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1130"
      },
      {
        "name": "AU_ISM_1133",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1133"
      },
      {
        "name": "AU_ISM_1134",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1134"
      },
      {
        "name": "AU_ISM_1135",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1135"
      },
      {
        "name": "AU_ISM_1137",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1137"
      },
      {
        "name": "AU_ISM_1139",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1139"
      },
      {
        "name": "AU_ISM_1143",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1143"
      },
      {
        "name": "AU_ISM_1144",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1144"
      },
      {
        "name": "AU_ISM_1145",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1145"
      },
      {
        "name": "AU_ISM_1146",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1146"
      },
      {
        "name": "AU_ISM_1151",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1151"
      },
      {
        "name": "AU_ISM_1152",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1152"
      },
      {
        "name": "AU_ISM_1157",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1157"
      },
      {
        "name": "AU_ISM_1158",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1158"
      },
      {
        "name": "AU_ISM_1160",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1160"
      },
      {
        "name": "AU_ISM_1161",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1161"
      },
      {
        "name": "AU_ISM_1162",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1162"
      },
      {
        "name": "AU_ISM_1163",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1163"
      },
      {
        "name": "AU_ISM_1164",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1164"
      },
      {
        "name": "AU_ISM_1170",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1170"
      },
      {
        "name": "AU_ISM_1171",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1171"
      },
      {
        "name": "AU_ISM_1173",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1173"
      },
      {
        "name": "AU_ISM_1175",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1175"
      },
      {
        "name": "AU_ISM_1178",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1178"
      },
      {
        "name": "AU_ISM_1181",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1181"
      },
      {
        "name": "AU_ISM_1182",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1182"
      },
      {
        "name": "AU_ISM_1183",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1183"
      },
      {
        "name": "AU_ISM_1185",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1185"
      },
      {
        "name": "AU_ISM_1186",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1186"
      },
      {
        "name": "AU_ISM_1187",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1187"
      },
      {
        "name": "AU_ISM_1192",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1192"
      },
      {
        "name": "AU_ISM_1194",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1194"
      },
      {
        "name": "AU_ISM_1195",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1195"
      },
      {
        "name": "AU_ISM_1196",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1196"
      },
      {
        "name": "AU_ISM_1198",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1198"
      },
      {
        "name": "AU_ISM_1199",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1199"
      },
      {
        "name": "AU_ISM_120",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_120"
      },
      {
        "name": "AU_ISM_1200",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1200"
      },
      {
        "name": "AU_ISM_1202",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1202"
      },
      {
        "name": "AU_ISM_1211",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1211"
      },
      {
        "name": "AU_ISM_1213",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1213"
      },
      {
        "name": "AU_ISM_1216",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1216"
      },
      {
        "name": "AU_ISM_1217",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1217"
      },
      {
        "name": "AU_ISM_1218",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1218"
      },
      {
        "name": "AU_ISM_1219",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1219"
      },
      {
        "name": "AU_ISM_1220",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1220"
      },
      {
        "name": "AU_ISM_1221",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1221"
      },
      {
        "name": "AU_ISM_1222",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1222"
      },
      {
        "name": "AU_ISM_1223",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1223"
      },
      {
        "name": "AU_ISM_1225",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1225"
      },
      {
        "name": "AU_ISM_1226",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1226"
      },
      {
        "name": "AU_ISM_1227",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1227"
      },
      {
        "name": "AU_ISM_1228",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1228"
      },
      {
        "name": "AU_ISM_123",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_123"
      },
      {
        "name": "AU_ISM_1232",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1232"
      },
      {
        "name": "AU_ISM_1233",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1233"
      },
      {
        "name": "AU_ISM_1234",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1234"
      },
      {
        "name": "AU_ISM_1235",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1235"
      },
      {
        "name": "AU_ISM_1236",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1236"
      },
      {
        "name": "AU_ISM_1237",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1237"
      },
      {
        "name": "AU_ISM_1238",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1238"
      },
      {
        "name": "AU_ISM_1239",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1239"
      },
      {
        "name": "AU_ISM_1240",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1240"
      },
      {
        "name": "AU_ISM_1241",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1241"
      },
      {
        "name": "AU_ISM_1243",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1243"
      },
      {
        "name": "AU_ISM_1245",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1245"
      },
      {
        "name": "AU_ISM_1246",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1246"
      },
      {
        "name": "AU_ISM_1247",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1247"
      },
      {
        "name": "AU_ISM_1249",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1249"
      },
      {
        "name": "AU_ISM_125",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_125"
      },
      {
        "name": "AU_ISM_1250",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1250"
      },
      {
        "name": "AU_ISM_1251",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1251"
      },
      {
        "name": "AU_ISM_1252",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1252"
      },
      {
        "name": "AU_ISM_1255",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1255"
      },
      {
        "name": "AU_ISM_1256",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1256"
      },
      {
        "name": "AU_ISM_1258",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1258"
      },
      {
        "name": "AU_ISM_1260",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1260"
      },
      {
        "name": "AU_ISM_1261",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1261"
      },
      {
        "name": "AU_ISM_1262",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1262"
      },
      {
        "name": "AU_ISM_1263",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1263"
      },
      {
        "name": "AU_ISM_1264",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1264"
      },
      {
        "name": "AU_ISM_1268",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1268"
      },
      {
        "name": "AU_ISM_1269",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1269"
      },
      {
        "name": "AU_ISM_1270",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1270"
      },
      {
        "name": "AU_ISM_1271",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1271"
      },
      {
        "name": "AU_ISM_1272",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1272"
      },
      {
        "name": "AU_ISM_1273",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1273"
      },
      {
        "name": "AU_ISM_1274",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1274"
      },
      {
        "name": "AU_ISM_1275",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1275"
      },
      {
        "name": "AU_ISM_1276",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1276"
      },
      {
        "name": "AU_ISM_1277",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1277"
      },
      {
        "name": "AU_ISM_1278",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1278"
      },
      {
        "name": "AU_ISM_1284",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1284"
      },
      {
        "name": "AU_ISM_1286",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1286"
      },
      {
        "name": "AU_ISM_1287",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1287"
      },
      {
        "name": "AU_ISM_1288",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1288"
      },
      {
        "name": "AU_ISM_1289",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1289"
      },
      {
        "name": "AU_ISM_1290",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1290"
      },
      {
        "name": "AU_ISM_1291",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1291"
      },
      {
        "name": "AU_ISM_1292",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1292"
      },
      {
        "name": "AU_ISM_1293",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1293"
      },
      {
        "name": "AU_ISM_1294",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1294"
      },
      {
        "name": "AU_ISM_1296",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1296"
      },
      {
        "name": "AU_ISM_1297",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1297"
      },
      {
        "name": "AU_ISM_1298",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1298"
      },
      {
        "name": "AU_ISM_1299",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1299"
      },
      {
        "name": "AU_ISM_1300",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1300"
      },
      {
        "name": "AU_ISM_1301",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1301"
      },
      {
        "name": "AU_ISM_1304",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1304"
      },
      {
        "name": "AU_ISM_1311",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1311"
      },
      {
        "name": "AU_ISM_1312",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1312"
      },
      {
        "name": "AU_ISM_1314",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1314"
      },
      {
        "name": "AU_ISM_1315",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1315"
      },
      {
        "name": "AU_ISM_1316",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1316"
      },
      {
        "name": "AU_ISM_1317",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1317"
      },
      {
        "name": "AU_ISM_1318",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1318"
      },
      {
        "name": "AU_ISM_1319",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1319"
      },
      {
        "name": "AU_ISM_1320",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1320"
      },
      {
        "name": "AU_ISM_1321",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1321"
      },
      {
        "name": "AU_ISM_1322",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1322"
      },
      {
        "name": "AU_ISM_1323",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1323"
      },
      {
        "name": "AU_ISM_1324",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1324"
      },
      {
        "name": "AU_ISM_1325",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1325"
      },
      {
        "name": "AU_ISM_1326",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1326"
      },
      {
        "name": "AU_ISM_1327",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1327"
      },
      {
        "name": "AU_ISM_133",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_133"
      },
      {
        "name": "AU_ISM_1330",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1330"
      },
      {
        "name": "AU_ISM_1332",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1332"
      },
      {
        "name": "AU_ISM_1334",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1334"
      },
      {
        "name": "AU_ISM_1335",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1335"
      },
      {
        "name": "AU_ISM_1338",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1338"
      },
      {
        "name": "AU_ISM_1341",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1341"
      },
      {
        "name": "AU_ISM_1357",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1357"
      },
      {
        "name": "AU_ISM_1359",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1359"
      },
      {
        "name": "AU_ISM_1361",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1361"
      },
      {
        "name": "AU_ISM_1364",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1364"
      },
      {
        "name": "AU_ISM_1365",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1365"
      },
      {
        "name": "AU_ISM_1366",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1366"
      },
      {
        "name": "AU_ISM_1369",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1369"
      },
      {
        "name": "AU_ISM_137",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_137"
      },
      {
        "name": "AU_ISM_1370",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1370"
      },
      {
        "name": "AU_ISM_1372",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1372"
      },
      {
        "name": "AU_ISM_1373",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1373"
      },
      {
        "name": "AU_ISM_1374",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1374"
      },
      {
        "name": "AU_ISM_1375",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1375"
      },
      {
        "name": "AU_ISM_138",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_138"
      },
      {
        "name": "AU_ISM_1380",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1380"
      },
      {
        "name": "AU_ISM_1381",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1381"
      },
      {
        "name": "AU_ISM_1382",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1382"
      },
      {
        "name": "AU_ISM_1383",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1383"
      },
      {
        "name": "AU_ISM_1384",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1384"
      },
      {
        "name": "AU_ISM_1385",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1385"
      },
      {
        "name": "AU_ISM_1386",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1386"
      },
      {
        "name": "AU_ISM_1387",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1387"
      },
      {
        "name": "AU_ISM_1388",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1388"
      },
      {
        "name": "AU_ISM_1389",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1389"
      },
      {
        "name": "AU_ISM_1390",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1390"
      },
      {
        "name": "AU_ISM_1392",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1392"
      },
      {
        "name": "AU_ISM_1395",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1395"
      },
      {
        "name": "AU_ISM_140",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_140"
      },
      {
        "name": "AU_ISM_1400",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1400"
      },
      {
        "name": "AU_ISM_1401",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1401"
      },
      {
        "name": "AU_ISM_1402",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1402"
      },
      {
        "name": "AU_ISM_1403",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1403"
      },
      {
        "name": "AU_ISM_1404",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1404"
      },
      {
        "name": "AU_ISM_1405",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1405"
      },
      {
        "name": "AU_ISM_1406",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1406"
      },
      {
        "name": "AU_ISM_1407",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1407"
      },
      {
        "name": "AU_ISM_1408",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1408"
      },
      {
        "name": "AU_ISM_1409",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1409"
      },
      {
        "name": "AU_ISM_141",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_141"
      },
      {
        "name": "AU_ISM_1410",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1410"
      },
      {
        "name": "AU_ISM_1412",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1412"
      },
      {
        "name": "AU_ISM_1414",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1414"
      },
      {
        "name": "AU_ISM_1416",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1416"
      },
      {
        "name": "AU_ISM_1417",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1417"
      },
      {
        "name": "AU_ISM_1418",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1418"
      },
      {
        "name": "AU_ISM_1419",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1419"
      },
      {
        "name": "AU_ISM_142",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_142"
      },
      {
        "name": "AU_ISM_1420",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1420"
      },
      {
        "name": "AU_ISM_1422",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1422"
      },
      {
        "name": "AU_ISM_1424",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1424"
      },
      {
        "name": "AU_ISM_1425",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1425"
      },
      {
        "name": "AU_ISM_1427",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1427"
      },
      {
        "name": "AU_ISM_1428",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1428"
      },
      {
        "name": "AU_ISM_1429",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1429"
      },
      {
        "name": "AU_ISM_1430",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1430"
      },
      {
        "name": "AU_ISM_1431",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1431"
      },
      {
        "name": "AU_ISM_1432",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1432"
      },
      {
        "name": "AU_ISM_1433",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1433"
      },
      {
        "name": "AU_ISM_1434",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1434"
      },
      {
        "name": "AU_ISM_1435",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1435"
      },
      {
        "name": "AU_ISM_1436",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1436"
      },
      {
        "name": "AU_ISM_1437",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1437"
      },
      {
        "name": "AU_ISM_1438",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1438"
      },
      {
        "name": "AU_ISM_1439",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1439"
      },
      {
        "name": "AU_ISM_1441",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1441"
      },
      {
        "name": "AU_ISM_1446",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1446"
      },
      {
        "name": "AU_ISM_1448",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1448"
      },
      {
        "name": "AU_ISM_1449",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1449"
      },
      {
        "name": "AU_ISM_1450",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1450"
      },
      {
        "name": "AU_ISM_1451",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1451"
      },
      {
        "name": "AU_ISM_1452",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1452"
      },
      {
        "name": "AU_ISM_1453",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1453"
      },
      {
        "name": "AU_ISM_1454",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1454"
      },
      {
        "name": "AU_ISM_1457",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1457"
      },
      {
        "name": "AU_ISM_1458",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1458"
      },
      {
        "name": "AU_ISM_1460",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1460"
      },
      {
        "name": "AU_ISM_1461",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1461"
      },
      {
        "name": "AU_ISM_1462",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1462"
      },
      {
        "name": "AU_ISM_1464",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1464"
      },
      {
        "name": "AU_ISM_1467",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1467"
      },
      {
        "name": "AU_ISM_1468",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1468"
      },
      {
        "name": "AU_ISM_1469",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1469"
      },
      {
        "name": "AU_ISM_1470",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1470"
      },
      {
        "name": "AU_ISM_1471",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1471"
      },
      {
        "name": "AU_ISM_1472",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1472"
      },
      {
        "name": "AU_ISM_1478",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1478"
      },
      {
        "name": "AU_ISM_1479",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1479"
      },
      {
        "name": "AU_ISM_1480",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1480"
      },
      {
        "name": "AU_ISM_1482",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1482"
      },
      {
        "name": "AU_ISM_1483",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1483"
      },
      {
        "name": "AU_ISM_1484",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1484"
      },
      {
        "name": "AU_ISM_1485",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1485"
      },
      {
        "name": "AU_ISM_1486",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1486"
      },
      {
        "name": "AU_ISM_1487",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1487"
      },
      {
        "name": "AU_ISM_1488",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1488"
      },
      {
        "name": "AU_ISM_1489",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1489"
      },
      {
        "name": "AU_ISM_1490",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1490"
      },
      {
        "name": "AU_ISM_1491",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1491"
      },
      {
        "name": "AU_ISM_1492",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1492"
      },
      {
        "name": "AU_ISM_1493",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1493"
      },
      {
        "name": "AU_ISM_1494",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1494"
      },
      {
        "name": "AU_ISM_1495",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1495"
      },
      {
        "name": "AU_ISM_1496",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1496"
      },
      {
        "name": "AU_ISM_1497",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1497"
      },
      {
        "name": "AU_ISM_1498",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1498"
      },
      {
        "name": "AU_ISM_1499",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1499"
      },
      {
        "name": "AU_ISM_1500",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1500"
      },
      {
        "name": "AU_ISM_1501",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1501"
      },
      {
        "name": "AU_ISM_1502",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1502"
      },
      {
        "name": "AU_ISM_1503",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1503"
      },
      {
        "name": "AU_ISM_1504",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1504"
      },
      {
        "name": "AU_ISM_1505",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1505"
      },
      {
        "name": "AU_ISM_1506",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1506"
      },
      {
        "name": "AU_ISM_1507",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1507"
      },
      {
        "name": "AU_ISM_1508",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1508"
      },
      {
        "name": "AU_ISM_1509",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1509"
      },
      {
        "name": "AU_ISM_1510",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1510"
      },
      {
        "name": "AU_ISM_1511",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1511"
      },
      {
        "name": "AU_ISM_1512",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1512"
      },
      {
        "name": "AU_ISM_1513",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1513"
      },
      {
        "name": "AU_ISM_1514",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1514"
      },
      {
        "name": "AU_ISM_1515",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1515"
      },
      {
        "name": "AU_ISM_1516",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1516"
      },
      {
        "name": "AU_ISM_1517",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1517"
      },
      {
        "name": "AU_ISM_1518",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1518"
      },
      {
        "name": "AU_ISM_1520",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1520"
      },
      {
        "name": "AU_ISM_1521",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1521"
      },
      {
        "name": "AU_ISM_1522",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1522"
      },
      {
        "name": "AU_ISM_1523",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1523"
      },
      {
        "name": "AU_ISM_1524",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1524"
      },
      {
        "name": "AU_ISM_1525",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1525"
      },
      {
        "name": "AU_ISM_1526",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1526"
      },
      {
        "name": "AU_ISM_1528",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1528"
      },
      {
        "name": "AU_ISM_1529",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1529"
      },
      {
        "name": "AU_ISM_1530",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1530"
      },
      {
        "name": "AU_ISM_1532",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1532"
      },
      {
        "name": "AU_ISM_1533",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1533"
      },
      {
        "name": "AU_ISM_1534",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1534"
      },
      {
        "name": "AU_ISM_1535",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1535"
      },
      {
        "name": "AU_ISM_1536",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1536"
      },
      {
        "name": "AU_ISM_1537",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1537"
      },
      {
        "name": "AU_ISM_1540",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1540"
      },
      {
        "name": "AU_ISM_1541",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1541"
      },
      {
        "name": "AU_ISM_1542",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1542"
      },
      {
        "name": "AU_ISM_1543",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1543"
      },
      {
        "name": "AU_ISM_1544",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1544"
      },
      {
        "name": "AU_ISM_1546",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1546"
      },
      {
        "name": "AU_ISM_1547",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1547"
      },
      {
        "name": "AU_ISM_1548",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1548"
      },
      {
        "name": "AU_ISM_1549",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1549"
      },
      {
        "name": "AU_ISM_1550",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1550"
      },
      {
        "name": "AU_ISM_1551",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1551"
      },
      {
        "name": "AU_ISM_1552",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1552"
      },
      {
        "name": "AU_ISM_1553",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1553"
      },
      {
        "name": "AU_ISM_1554",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1554"
      },
      {
        "name": "AU_ISM_1555",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1555"
      },
      {
        "name": "AU_ISM_1556",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1556"
      },
      {
        "name": "AU_ISM_1557",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1557"
      },
      {
        "name": "AU_ISM_1558",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1558"
      },
      {
        "name": "AU_ISM_1559",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1559"
      },
      {
        "name": "AU_ISM_1560",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1560"
      },
      {
        "name": "AU_ISM_1561",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1561"
      },
      {
        "name": "AU_ISM_1562",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1562"
      },
      {
        "name": "AU_ISM_1563",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1563"
      },
      {
        "name": "AU_ISM_1564",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1564"
      },
      {
        "name": "AU_ISM_1565",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1565"
      },
      {
        "name": "AU_ISM_1566",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1566"
      },
      {
        "name": "AU_ISM_1567",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1567"
      },
      {
        "name": "AU_ISM_1568",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1568"
      },
      {
        "name": "AU_ISM_1569",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1569"
      },
      {
        "name": "AU_ISM_157",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_157"
      },
      {
        "name": "AU_ISM_1570",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1570"
      },
      {
        "name": "AU_ISM_1571",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1571"
      },
      {
        "name": "AU_ISM_1572",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1572"
      },
      {
        "name": "AU_ISM_1573",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1573"
      },
      {
        "name": "AU_ISM_1574",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1574"
      },
      {
        "name": "AU_ISM_1575",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1575"
      },
      {
        "name": "AU_ISM_1576",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1576"
      },
      {
        "name": "AU_ISM_1577",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1577"
      },
      {
        "name": "AU_ISM_1578",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1578"
      },
      {
        "name": "AU_ISM_1579",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1579"
      },
      {
        "name": "AU_ISM_1580",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1580"
      },
      {
        "name": "AU_ISM_1581",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1581"
      },
      {
        "name": "AU_ISM_1582",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1582"
      },
      {
        "name": "AU_ISM_1583",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1583"
      },
      {
        "name": "AU_ISM_1584",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1584"
      },
      {
        "name": "AU_ISM_1585",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1585"
      },
      {
        "name": "AU_ISM_1586",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1586"
      },
      {
        "name": "AU_ISM_1587",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1587"
      },
      {
        "name": "AU_ISM_1588",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1588"
      },
      {
        "name": "AU_ISM_1589",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1589"
      },
      {
        "name": "AU_ISM_159",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_159"
      },
      {
        "name": "AU_ISM_1590",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1590"
      },
      {
        "name": "AU_ISM_1591",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1591"
      },
      {
        "name": "AU_ISM_1592",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1592"
      },
      {
        "name": "AU_ISM_1593",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1593"
      },
      {
        "name": "AU_ISM_1594",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1594"
      },
      {
        "name": "AU_ISM_1595",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1595"
      },
      {
        "name": "AU_ISM_1596",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1596"
      },
      {
        "name": "AU_ISM_1597",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1597"
      },
      {
        "name": "AU_ISM_1598",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1598"
      },
      {
        "name": "AU_ISM_1599",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1599"
      },
      {
        "name": "AU_ISM_1600",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1600"
      },
      {
        "name": "AU_ISM_1601",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1601"
      },
      {
        "name": "AU_ISM_1602",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1602"
      },
      {
        "name": "AU_ISM_1603",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1603"
      },
      {
        "name": "AU_ISM_1604",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1604"
      },
      {
        "name": "AU_ISM_1605",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1605"
      },
      {
        "name": "AU_ISM_1606",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1606"
      },
      {
        "name": "AU_ISM_1607",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1607"
      },
      {
        "name": "AU_ISM_1608",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1608"
      },
      {
        "name": "AU_ISM_1609",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1609"
      },
      {
        "name": "AU_ISM_161",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_161"
      },
      {
        "name": "AU_ISM_1610",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1610"
      },
      {
        "name": "AU_ISM_1611",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1611"
      },
      {
        "name": "AU_ISM_1612",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1612"
      },
      {
        "name": "AU_ISM_1613",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1613"
      },
      {
        "name": "AU_ISM_1614",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1614"
      },
      {
        "name": "AU_ISM_1615",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1615"
      },
      {
        "name": "AU_ISM_1616",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1616"
      },
      {
        "name": "AU_ISM_1617",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1617"
      },
      {
        "name": "AU_ISM_1618",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1618"
      },
      {
        "name": "AU_ISM_1619",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1619"
      },
      {
        "name": "AU_ISM_1620",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1620"
      },
      {
        "name": "AU_ISM_1621",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1621"
      },
      {
        "name": "AU_ISM_1622",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1622"
      },
      {
        "name": "AU_ISM_1623",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1623"
      },
      {
        "name": "AU_ISM_1624",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1624"
      },
      {
        "name": "AU_ISM_1625",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1625"
      },
      {
        "name": "AU_ISM_1626",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1626"
      },
      {
        "name": "AU_ISM_1627",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1627"
      },
      {
        "name": "AU_ISM_1628",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1628"
      },
      {
        "name": "AU_ISM_1629",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1629"
      },
      {
        "name": "AU_ISM_1630",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1630"
      },
      {
        "name": "AU_ISM_1631",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1631"
      },
      {
        "name": "AU_ISM_1632",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1632"
      },
      {
        "name": "AU_ISM_1633",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1633"
      },
      {
        "name": "AU_ISM_1634",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1634"
      },
      {
        "name": "AU_ISM_1635",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1635"
      },
      {
        "name": "AU_ISM_1636",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1636"
      },
      {
        "name": "AU_ISM_1637",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1637"
      },
      {
        "name": "AU_ISM_1638",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1638"
      },
      {
        "name": "AU_ISM_1639",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1639"
      },
      {
        "name": "AU_ISM_164",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_164"
      },
      {
        "name": "AU_ISM_1640",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1640"
      },
      {
        "name": "AU_ISM_1641",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1641"
      },
      {
        "name": "AU_ISM_1642",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1642"
      },
      {
        "name": "AU_ISM_1643",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1643"
      },
      {
        "name": "AU_ISM_1644",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1644"
      },
      {
        "name": "AU_ISM_1645",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1645"
      },
      {
        "name": "AU_ISM_1646",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_1646"
      },
      {
        "name": "AU_ISM_181",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_181"
      },
      {
        "name": "AU_ISM_184",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_184"
      },
      {
        "name": "AU_ISM_187",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_187"
      },
      {
        "name": "AU_ISM_189",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_189"
      },
      {
        "name": "AU_ISM_190",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_190"
      },
      {
        "name": "AU_ISM_194",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_194"
      },
      {
        "name": "AU_ISM_195",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_195"
      },
      {
        "name": "AU_ISM_198",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_198"
      },
      {
        "name": "AU_ISM_201",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_201"
      },
      {
        "name": "AU_ISM_206",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_206"
      },
      {
        "name": "AU_ISM_208",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_208"
      },
      {
        "name": "AU_ISM_211",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_211"
      },
      {
        "name": "AU_ISM_213",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_213"
      },
      {
        "name": "AU_ISM_216",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_216"
      },
      {
        "name": "AU_ISM_217",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_217"
      },
      {
        "name": "AU_ISM_218",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_218"
      },
      {
        "name": "AU_ISM_221",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_221"
      },
      {
        "name": "AU_ISM_222",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_222"
      },
      {
        "name": "AU_ISM_223",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_223"
      },
      {
        "name": "AU_ISM_224",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_224"
      },
      {
        "name": "AU_ISM_225",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_225"
      },
      {
        "name": "AU_ISM_229",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_229"
      },
      {
        "name": "AU_ISM_230",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_230"
      },
      {
        "name": "AU_ISM_231",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_231"
      },
      {
        "name": "AU_ISM_232",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_232"
      },
      {
        "name": "AU_ISM_233",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_233"
      },
      {
        "name": "AU_ISM_235",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_235"
      },
      {
        "name": "AU_ISM_236",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_236"
      },
      {
        "name": "AU_ISM_237",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_237"
      },
      {
        "name": "AU_ISM_240",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_240"
      },
      {
        "name": "AU_ISM_241",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_241"
      },
      {
        "name": "AU_ISM_245",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_245"
      },
      {
        "name": "AU_ISM_246",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_246"
      },
      {
        "name": "AU_ISM_247",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_247"
      },
      {
        "name": "AU_ISM_248",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_248"
      },
      {
        "name": "AU_ISM_249",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_249"
      },
      {
        "name": "AU_ISM_250",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_250"
      },
      {
        "name": "AU_ISM_252",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_252"
      },
      {
        "name": "AU_ISM_258",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_258"
      },
      {
        "name": "AU_ISM_260",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_260"
      },
      {
        "name": "AU_ISM_261",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_261"
      },
      {
        "name": "AU_ISM_263",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_263"
      },
      {
        "name": "AU_ISM_264",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_264"
      },
      {
        "name": "AU_ISM_267",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_267"
      },
      {
        "name": "AU_ISM_269",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_269"
      },
      {
        "name": "AU_ISM_27",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_27"
      },
      {
        "name": "AU_ISM_270",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_270"
      },
      {
        "name": "AU_ISM_271",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_271"
      },
      {
        "name": "AU_ISM_272",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_272"
      },
      {
        "name": "AU_ISM_280",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_280"
      },
      {
        "name": "AU_ISM_285",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_285"
      },
      {
        "name": "AU_ISM_286",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_286"
      },
      {
        "name": "AU_ISM_289",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_289"
      },
      {
        "name": "AU_ISM_290",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_290"
      },
      {
        "name": "AU_ISM_292",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_292"
      },
      {
        "name": "AU_ISM_293",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_293"
      },
      {
        "name": "AU_ISM_294",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_294"
      },
      {
        "name": "AU_ISM_296",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_296"
      },
      {
        "name": "AU_ISM_298",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_298"
      },
      {
        "name": "AU_ISM_300",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_300"
      },
      {
        "name": "AU_ISM_303",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_303"
      },
      {
        "name": "AU_ISM_304",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_304"
      },
      {
        "name": "AU_ISM_305",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_305"
      },
      {
        "name": "AU_ISM_306",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_306"
      },
      {
        "name": "AU_ISM_307",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_307"
      },
      {
        "name": "AU_ISM_310",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_310"
      },
      {
        "name": "AU_ISM_311",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_311"
      },
      {
        "name": "AU_ISM_312",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_312"
      },
      {
        "name": "AU_ISM_313",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_313"
      },
      {
        "name": "AU_ISM_315",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_315"
      },
      {
        "name": "AU_ISM_316",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_316"
      },
      {
        "name": "AU_ISM_317",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_317"
      },
      {
        "name": "AU_ISM_318",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_318"
      },
      {
        "name": "AU_ISM_321",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_321"
      },
      {
        "name": "AU_ISM_323",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_323"
      },
      {
        "name": "AU_ISM_325",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_325"
      },
      {
        "name": "AU_ISM_330",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_330"
      },
      {
        "name": "AU_ISM_332",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_332"
      },
      {
        "name": "AU_ISM_336",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_336"
      },
      {
        "name": "AU_ISM_337",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_337"
      },
      {
        "name": "AU_ISM_341",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_341"
      },
      {
        "name": "AU_ISM_342",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_342"
      },
      {
        "name": "AU_ISM_343",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_343"
      },
      {
        "name": "AU_ISM_345",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_345"
      },
      {
        "name": "AU_ISM_347",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_347"
      },
      {
        "name": "AU_ISM_348",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_348"
      },
      {
        "name": "AU_ISM_350",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_350"
      },
      {
        "name": "AU_ISM_351",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_351"
      },
      {
        "name": "AU_ISM_352",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_352"
      },
      {
        "name": "AU_ISM_354",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_354"
      },
      {
        "name": "AU_ISM_356",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_356"
      },
      {
        "name": "AU_ISM_357",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_357"
      },
      {
        "name": "AU_ISM_358",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_358"
      },
      {
        "name": "AU_ISM_359",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_359"
      },
      {
        "name": "AU_ISM_360",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_360"
      },
      {
        "name": "AU_ISM_361",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_361"
      },
      {
        "name": "AU_ISM_362",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_362"
      },
      {
        "name": "AU_ISM_363",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_363"
      },
      {
        "name": "AU_ISM_366",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_366"
      },
      {
        "name": "AU_ISM_368",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_368"
      },
      {
        "name": "AU_ISM_370",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_370"
      },
      {
        "name": "AU_ISM_371",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_371"
      },
      {
        "name": "AU_ISM_372",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_372"
      },
      {
        "name": "AU_ISM_373",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_373"
      },
      {
        "name": "AU_ISM_374",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_374"
      },
      {
        "name": "AU_ISM_375",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_375"
      },
      {
        "name": "AU_ISM_378",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_378"
      },
      {
        "name": "AU_ISM_380",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_380"
      },
      {
        "name": "AU_ISM_382",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_382"
      },
      {
        "name": "AU_ISM_383",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_383"
      },
      {
        "name": "AU_ISM_385",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_385"
      },
      {
        "name": "AU_ISM_39",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_39"
      },
      {
        "name": "AU_ISM_393",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_393"
      },
      {
        "name": "AU_ISM_400",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_400"
      },
      {
        "name": "AU_ISM_401",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_401"
      },
      {
        "name": "AU_ISM_402",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_402"
      },
      {
        "name": "AU_ISM_405",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_405"
      },
      {
        "name": "AU_ISM_407",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_407"
      },
      {
        "name": "AU_ISM_408",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_408"
      },
      {
        "name": "AU_ISM_409",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_409"
      },
      {
        "name": "AU_ISM_41",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_41"
      },
      {
        "name": "AU_ISM_411",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_411"
      },
      {
        "name": "AU_ISM_414",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_414"
      },
      {
        "name": "AU_ISM_415",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_415"
      },
      {
        "name": "AU_ISM_417",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_417"
      },
      {
        "name": "AU_ISM_418",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_418"
      },
      {
        "name": "AU_ISM_42",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_42"
      },
      {
        "name": "AU_ISM_420",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_420"
      },
      {
        "name": "AU_ISM_421",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_421"
      },
      {
        "name": "AU_ISM_422",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_422"
      },
      {
        "name": "AU_ISM_428",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_428"
      },
      {
        "name": "AU_ISM_43",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_43"
      },
      {
        "name": "AU_ISM_430",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_430"
      },
      {
        "name": "AU_ISM_431",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_431"
      },
      {
        "name": "AU_ISM_432",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_432"
      },
      {
        "name": "AU_ISM_434",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_434"
      },
      {
        "name": "AU_ISM_435",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_435"
      },
      {
        "name": "AU_ISM_441",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_441"
      },
      {
        "name": "AU_ISM_443",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_443"
      },
      {
        "name": "AU_ISM_445",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_445"
      },
      {
        "name": "AU_ISM_446",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_446"
      },
      {
        "name": "AU_ISM_447",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_447"
      },
      {
        "name": "AU_ISM_448",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_448"
      },
      {
        "name": "AU_ISM_455",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_455"
      },
      {
        "name": "AU_ISM_457",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_457"
      },
      {
        "name": "AU_ISM_459",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_459"
      },
      {
        "name": "AU_ISM_460",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_460"
      },
      {
        "name": "AU_ISM_461",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_461"
      },
      {
        "name": "AU_ISM_462",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_462"
      },
      {
        "name": "AU_ISM_465",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_465"
      },
      {
        "name": "AU_ISM_467",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_467"
      },
      {
        "name": "AU_ISM_469",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_469"
      },
      {
        "name": "AU_ISM_47",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_47"
      },
      {
        "name": "AU_ISM_471",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_471"
      },
      {
        "name": "AU_ISM_472",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_472"
      },
      {
        "name": "AU_ISM_473",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_473"
      },
      {
        "name": "AU_ISM_474",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_474"
      },
      {
        "name": "AU_ISM_475",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_475"
      },
      {
        "name": "AU_ISM_476",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_476"
      },
      {
        "name": "AU_ISM_477",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_477"
      },
      {
        "name": "AU_ISM_479",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_479"
      },
      {
        "name": "AU_ISM_480",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_480"
      },
      {
        "name": "AU_ISM_481",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_481"
      },
      {
        "name": "AU_ISM_484",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_484"
      },
      {
        "name": "AU_ISM_485",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_485"
      },
      {
        "name": "AU_ISM_487",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_487"
      },
      {
        "name": "AU_ISM_488",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_488"
      },
      {
        "name": "AU_ISM_489",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_489"
      },
      {
        "name": "AU_ISM_490",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_490"
      },
      {
        "name": "AU_ISM_494",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_494"
      },
      {
        "name": "AU_ISM_496",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_496"
      },
      {
        "name": "AU_ISM_497",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_497"
      },
      {
        "name": "AU_ISM_498",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_498"
      },
      {
        "name": "AU_ISM_499",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_499"
      },
      {
        "name": "AU_ISM_501",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_501"
      },
      {
        "name": "AU_ISM_505",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_505"
      },
      {
        "name": "AU_ISM_506",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_506"
      },
      {
        "name": "AU_ISM_516",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_516"
      },
      {
        "name": "AU_ISM_518",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_518"
      },
      {
        "name": "AU_ISM_520",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_520"
      },
      {
        "name": "AU_ISM_521",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_521"
      },
      {
        "name": "AU_ISM_529",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_529"
      },
      {
        "name": "AU_ISM_530",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_530"
      },
      {
        "name": "AU_ISM_534",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_534"
      },
      {
        "name": "AU_ISM_535",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_535"
      },
      {
        "name": "AU_ISM_536",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_536"
      },
      {
        "name": "AU_ISM_546",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_546"
      },
      {
        "name": "AU_ISM_547",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_547"
      },
      {
        "name": "AU_ISM_548",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_548"
      },
      {
        "name": "AU_ISM_549",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_549"
      },
      {
        "name": "AU_ISM_551",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_551"
      },
      {
        "name": "AU_ISM_553",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_553"
      },
      {
        "name": "AU_ISM_554",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_554"
      },
      {
        "name": "AU_ISM_555",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_555"
      },
      {
        "name": "AU_ISM_556",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_556"
      },
      {
        "name": "AU_ISM_558",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_558"
      },
      {
        "name": "AU_ISM_559",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_559"
      },
      {
        "name": "AU_ISM_565",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_565"
      },
      {
        "name": "AU_ISM_567",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_567"
      },
      {
        "name": "AU_ISM_569",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_569"
      },
      {
        "name": "AU_ISM_570",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_570"
      },
      {
        "name": "AU_ISM_571",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_571"
      },
      {
        "name": "AU_ISM_572",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_572"
      },
      {
        "name": "AU_ISM_574",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_574"
      },
      {
        "name": "AU_ISM_576",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_576"
      },
      {
        "name": "AU_ISM_580",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_580"
      },
      {
        "name": "AU_ISM_582",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_582"
      },
      {
        "name": "AU_ISM_584",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_584"
      },
      {
        "name": "AU_ISM_585",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_585"
      },
      {
        "name": "AU_ISM_586",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_586"
      },
      {
        "name": "AU_ISM_588",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_588"
      },
      {
        "name": "AU_ISM_589",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_589"
      },
      {
        "name": "AU_ISM_590",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_590"
      },
      {
        "name": "AU_ISM_591",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_591"
      },
      {
        "name": "AU_ISM_593",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_593"
      },
      {
        "name": "AU_ISM_594",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_594"
      },
      {
        "name": "AU_ISM_597",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_597"
      },
      {
        "name": "AU_ISM_607",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_607"
      },
      {
        "name": "AU_ISM_610",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_610"
      },
      {
        "name": "AU_ISM_611",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_611"
      },
      {
        "name": "AU_ISM_612",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_612"
      },
      {
        "name": "AU_ISM_613",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_613"
      },
      {
        "name": "AU_ISM_616",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_616"
      },
      {
        "name": "AU_ISM_619",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_619"
      },
      {
        "name": "AU_ISM_620",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_620"
      },
      {
        "name": "AU_ISM_622",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_622"
      },
      {
        "name": "AU_ISM_626",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_626"
      },
      {
        "name": "AU_ISM_627",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_627"
      },
      {
        "name": "AU_ISM_628",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_628"
      },
      {
        "name": "AU_ISM_629",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_629"
      },
      {
        "name": "AU_ISM_631",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_631"
      },
      {
        "name": "AU_ISM_634",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_634"
      },
      {
        "name": "AU_ISM_635",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_635"
      },
      {
        "name": "AU_ISM_637",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_637"
      },
      {
        "name": "AU_ISM_639",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_639"
      },
      {
        "name": "AU_ISM_641",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_641"
      },
      {
        "name": "AU_ISM_642",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_642"
      },
      {
        "name": "AU_ISM_643",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_643"
      },
      {
        "name": "AU_ISM_645",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_645"
      },
      {
        "name": "AU_ISM_646",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_646"
      },
      {
        "name": "AU_ISM_647",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_647"
      },
      {
        "name": "AU_ISM_648",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_648"
      },
      {
        "name": "AU_ISM_649",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_649"
      },
      {
        "name": "AU_ISM_651",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_651"
      },
      {
        "name": "AU_ISM_652",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_652"
      },
      {
        "name": "AU_ISM_657",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_657"
      },
      {
        "name": "AU_ISM_658",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_658"
      },
      {
        "name": "AU_ISM_659",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_659"
      },
      {
        "name": "AU_ISM_660",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_660"
      },
      {
        "name": "AU_ISM_661",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_661"
      },
      {
        "name": "AU_ISM_663",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_663"
      },
      {
        "name": "AU_ISM_664",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_664"
      },
      {
        "name": "AU_ISM_665",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_665"
      },
      {
        "name": "AU_ISM_669",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_669"
      },
      {
        "name": "AU_ISM_670",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_670"
      },
      {
        "name": "AU_ISM_675",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_675"
      },
      {
        "name": "AU_ISM_677",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_677"
      },
      {
        "name": "AU_ISM_678",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_678"
      },
      {
        "name": "AU_ISM_682",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_682"
      },
      {
        "name": "AU_ISM_687",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_687"
      },
      {
        "name": "AU_ISM_694",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_694"
      },
      {
        "name": "AU_ISM_701",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_701"
      },
      {
        "name": "AU_ISM_702",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_702"
      },
      {
        "name": "AU_ISM_705",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_705"
      },
      {
        "name": "AU_ISM_714",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_714"
      },
      {
        "name": "AU_ISM_717",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_717"
      },
      {
        "name": "AU_ISM_718",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_718"
      },
      {
        "name": "AU_ISM_72",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_72"
      },
      {
        "name": "AU_ISM_720",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_720"
      },
      {
        "name": "AU_ISM_724",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_724"
      },
      {
        "name": "AU_ISM_725",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_725"
      },
      {
        "name": "AU_ISM_726",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_726"
      },
      {
        "name": "AU_ISM_731",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_731"
      },
      {
        "name": "AU_ISM_732",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_732"
      },
      {
        "name": "AU_ISM_733",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_733"
      },
      {
        "name": "AU_ISM_734",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_734"
      },
      {
        "name": "AU_ISM_735",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_735"
      },
      {
        "name": "AU_ISM_78",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_78"
      },
      {
        "name": "AU_ISM_810",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_810"
      },
      {
        "name": "AU_ISM_813",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_813"
      },
      {
        "name": "AU_ISM_817",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_817"
      },
      {
        "name": "AU_ISM_820",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_820"
      },
      {
        "name": "AU_ISM_821",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_821"
      },
      {
        "name": "AU_ISM_824",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_824"
      },
      {
        "name": "AU_ISM_829",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_829"
      },
      {
        "name": "AU_ISM_831",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_831"
      },
      {
        "name": "AU_ISM_835",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_835"
      },
      {
        "name": "AU_ISM_836",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_836"
      },
      {
        "name": "AU_ISM_838",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_838"
      },
      {
        "name": "AU_ISM_839",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_839"
      },
      {
        "name": "AU_ISM_840",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_840"
      },
      {
        "name": "AU_ISM_843",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_843"
      },
      {
        "name": "AU_ISM_846",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_846"
      },
      {
        "name": "AU_ISM_853",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_853"
      },
      {
        "name": "AU_ISM_854",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_854"
      },
      {
        "name": "AU_ISM_859",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_859"
      },
      {
        "name": "AU_ISM_861",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_861"
      },
      {
        "name": "AU_ISM_863",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_863"
      },
      {
        "name": "AU_ISM_864",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_864"
      },
      {
        "name": "AU_ISM_866",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_866"
      },
      {
        "name": "AU_ISM_869",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_869"
      },
      {
        "name": "AU_ISM_870",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_870"
      },
      {
        "name": "AU_ISM_871",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_871"
      },
      {
        "name": "AU_ISM_874",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_874"
      },
      {
        "name": "AU_ISM_888",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_888"
      },
      {
        "name": "AU_ISM_917",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_917"
      },
      {
        "name": "AU_ISM_926",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_926"
      },
      {
        "name": "AU_ISM_931",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_931"
      },
      {
        "name": "AU_ISM_932",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_932"
      },
      {
        "name": "AU_ISM_938",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_938"
      },
      {
        "name": "AU_ISM_940",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_940"
      },
      {
        "name": "AU_ISM_944",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_944"
      },
      {
        "name": "AU_ISM_947",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_947"
      },
      {
        "name": "AU_ISM_955",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_955"
      },
      {
        "name": "AU_ISM_957",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_957"
      },
      {
        "name": "AU_ISM_958",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_958"
      },
      {
        "name": "AU_ISM_959",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_959"
      },
      {
        "name": "AU_ISM_960",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_960"
      },
      {
        "name": "AU_ISM_961",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_961"
      },
      {
        "name": "AU_ISM_963",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_963"
      },
      {
        "name": "AU_ISM_971",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_971"
      },
      {
        "name": "AU_ISM_974",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_974"
      },
      {
        "name": "AU_ISM_975",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_975"
      },
      {
        "name": "AU_ISM_976",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_976"
      },
      {
        "name": "AU_ISM_979",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_979"
      },
      {
        "name": "AU_ISM_988",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_988"
      },
      {
        "name": "AU_ISM_991",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_991"
      },
      {
        "name": "AU_ISM_994",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_994"
      },
      {
        "name": "AU_ISM_996",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_996"
      },
      {
        "name": "AU_ISM_998",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_998"
      },
      {
        "name": "AU_ISM_999",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/AU_ISM_999"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "27272c0b-c225-4cc3-b8b0-f2534b093077"
}
BuiltIn Regulatory Compliance False True n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Preview]: CMMC Level 3",
    "policyType": "BuiltIn",
    "description": "This initiative includes policies that address a subset of Cybersecurity Maturity Model Certification (CMMC) Level 3 requirements. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc-initiative.",
    "metadata": {
      "version": "3.2.1-preview",
      "preview": true,
      "category": "Regulatory Compliance"
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating guest configuration policies",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine; for more information, visit https://aka.ms/policy-pricing"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f": {
        "type": "String",
        "metadata": {
          "displayName": "List of users that must be excluded from Windows VM Administrators group",
          "description": "A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2"
        }
      },
      "MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7": {
        "type": "String",
        "metadata": {
          "displayName": "List of users that must be included in Windows VM Administrators group",
          "description": "A semicolon-separated list of users that should be included in the Administrators local group; Ex: Administrator; myUser1; myUser2"
        }
      },
      "Members-3d2a3320-2a72-4c67-ac5f-caa40fbee2b2": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: List of users that Windows VM Administrators group must only include",
          "description": "A semicolon-separated list of all the expected members of the Administrators local group; Ex: Administrator; myUser1; myUser2",
          "deprecated": true
        },
        "defaultValue": "Administrator"
      },
      "logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace ID for VM agent reporting",
          "description": "ID (GUID) of the Log Analytics workspace where VMs agents should report"
        }
      },
      "effect-08e6af2d-db70-460a-bfe9-d5bd474ba9d6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Adaptive network hardening recommendations should be applied on internet facing virtual machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: There should be more than one owner assigned to your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0961003e-5a0a-4549-abde-af6a37f2724d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0b15565f-aa9e-48ba-8619-45960f2c314d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Email notification to subscription owner for high severity alerts should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Remote debugging should be turned off for Function Apps",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-17k78e20-9358-41c9-923c-fb736d382a12": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Transparent Data Encryption on SQL databases should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the API app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "PHPLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest PHP version for App Services",
          "description": "Latest supported PHP version for App Services"
        },
        "defaultValue": "7.3"
      },
      "effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Only secure connections to your Azure Cache for Redis should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "NetworkSecurityConfigureEncryptionTypesAllowedForKerberos-1221c620-d201-468c-81e7-2817e6107e84": {
        "type": "String",
        "metadata": {
          "displayName": "Network Security: Configure encryption types allowed for Kerberos",
          "description": "Specifies the encryption types that Kerberos is allowed to use."
        },
        "defaultValue": "2147483644"
      },
      "NetworkSecurityLANManagerAuthenticationLevel-1221c620-d201-468c-81e7-2817e6107e84": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: LAN Manager authentication level",
          "description": "Specify which challenge-response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers."
        },
        "defaultValue": "5"
      },
      "NetworkSecurityLDAPClientSigningRequirements-1221c620-d201-468c-81e7-2817e6107e84": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: LDAP client signing requirements",
          "description": "Specify the level of data signing that is requested on behalf of clients that issue LDAP BIND requests."
        },
        "defaultValue": "1"
      },
      "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients-1221c620-d201-468c-81e7-2817e6107e84": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",
          "description": "Specifies which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers for more information."
        },
        "defaultValue": "537395200"
      },
      "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers-1221c620-d201-468c-81e7-2817e6107e84": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",
          "description": "Specifies which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services."
        },
        "defaultValue": "537395200"
      },
      "effect-1221c620-d201-468c-81e7-2817e6107e84": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Windows machines should meet requirements for 'Security Options - Network Security'",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-a2d0e922-65d0-40c4-8f87-ea6da2d307a2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Audit Windows machines that do not restrict the minimum password length to 14 characters",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-26a828e1-e88f-464e-bbb3-c134a282b9de": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Endpoint protection solution should be installed on virtual machine scale sets",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "listOfImageIdToInclude_windows": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of VM images that have supported Windows OS to add to scope when auditing Log Analytics agent deployment",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "listOfImageIdToInclude_linux": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of VM images that have supported Linux OS to add to scope when auditing Log Analytics agent deployment",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "listOfImageIdToInclude_windows-32133ab0-ee4b-4b44-98d6-042180979d50": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: Optional: List of VM images that have supported Windows OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'",
          "deprecated": true
        },
        "defaultValue": []
      },
      "listOfImageIdToInclude_linux-32133ab0-ee4b-4b44-98d6-042180979d50": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: Optional: List of VM images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'",
          "deprecated": true
        },
        "defaultValue": []
      },
      "effect-f6ec09a3-78bf-4f8f-99dc-6c77182d0f99": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Audit Linux machines that have accounts without passwords",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-34c877ad-507e-4c82-993e-3452a6e0ad3c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-404c3081-a854-4457-ae30-26a93ef643f9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Secure transfer to storage accounts should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-47a6b606-51aa-4496-8bb7-64b11cf66adc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Adaptive application controls for defining safe applications should be enabled on your machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-496223c3-ad65-4ecd-878a-bae78737e9ed": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Web app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "JavaLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest Java version for App Services",
          "description": "Latest supported Java version for App Services"
        },
        "defaultValue": "11"
      },
      "effect-4f11b553-d42e-4e3a-89be-32ca364cad4c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: A maximum of 3 owners should be designated for your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Subscriptions should have a contact email address for security issues",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "listOfImageIdToInclude_windows-5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: Optional: List of VM images that have supported Windows OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'",
          "deprecated": true
        },
        "defaultValue": []
      },
      "listOfImageIdToInclude_linux-5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: Optional: List of VM images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'",
          "deprecated": true
        },
        "defaultValue": []
      },
      "effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with write permissions should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with read permissions should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Deprecated accounts should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Function App should only be accessible over HTTPS",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-7008174a-fd10-4ef0-817e-fc820a951d73": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Web app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "LinuxPythonLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest Python version for Linux for App Services",
          "description": "Latest supported Python version for App Services"
        },
        "defaultValue": "3.8"
      },
      "effect-7238174a-fd10-4ef0-817e-fc820a951d73": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Function app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7261b898-8a84-4db8-9e04-18527132abb3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the WEB app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-5b054a0d-39e2-4d53-bea3-9734cad2c69b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Audit Windows machines that allow re-use of the previous 24 passwords",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-74c3584d-afae-46f7-a20a-6f8adba71a16": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the API app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-760a85ff-6162-42b3-8d70-698e268f648c": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Effect for policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution",
          "description": "For more information about effects, visit https://aka.ms/policyeffects",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "effect-bf16e0bb-31e1-4646-8202-60a235cc7e74": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Audit Windows machines that do not have the password complexity setting enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "listOfResourceTypes-7f89b1eb-583c-429a-8828-af049802c1d9": {
        "type": "Array",
        "metadata": {
          "displayName": "List of resource types that should have resource logs enabled",
          "strongType": "resourceTypes"
        },
        "allowedValues": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ],
        "defaultValue": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ]
      },
      "effect-86b3d65f-7626-441e-b690-81a8b71cff60": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: System updates should be installed on your machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-88999f4c-376a-45c8-bcb3-4058f713cf39": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the API app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Web app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Latest TLS version should be used in your API App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-da0f98fe-a24b-4ad5-af69-bd0400233661": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Audit Windows machines that do not store passwords using reversible encryption",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-9297c21d-2ed6-4474-b48f-163f75654ce3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled accounts with write permissions on your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-991310cd-e9f3-47bc-b7b6-f57b557d07db": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the API app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-9b597639-28e4-48eb-b506-56b05d366257": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Microsoft IaaSAntimalware extension should be deployed on Windows servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Function app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-9daedab3-fb2d-461e-b861-71790eead4f6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: All network ports should be restricted on network security groups associated to your virtual machine",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-a4af4a39-4135-47fb-b175-47fbdf85311d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application should only be accessible over HTTPS",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Auditing on SQL server should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9": {
        "type": "String",
        "metadata": {
          "displayName": "Required auditing setting for SQL servers"
        },
        "allowedValues": [
          "enabled",
          "disabled"
        ],
        "defaultValue": "enabled"
      },
      "effect-a70ca396-0a34-413a-88e1-b956c1e683be": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: The Log Analytics agent should be installed on virtual machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-aa633080-8b72-40c4-a2d7-d00c03e80bed": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled on accounts with owner permissions on your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Advanced data security should be enabled on your SQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Advanced data security should be enabled on SQL Managed Instance",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-af6cd1bd-1635-48cb-bde7-5b15693900b9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Monitor missing Endpoint Protection in Azure Security Center",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum TLS version for Windows web servers",
          "description": "Windows web servers with lower TLS versions will be assessed as non-compliant"
        },
        "allowedValues": [
          "1.1",
          "1.2"
        ],
        "defaultValue": "1.2"
      },
      "effect-b4d66858-c922-44e3-9566-5cdb7a7be744": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Effect for policy: A security contact phone number should be provided for your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "listOfLocations-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: List of regions where Network Watcher should be enabled",
          "description": "Audit if Network Watcher is not enabled for region(s).",
          "strongType": "location",
          "deprecated": true
        },
        "defaultValue": []
      },
      "resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6": {
        "type": "String",
        "metadata": {
          "displayName": "Name of the resource group for Network Watcher",
          "description": "Name of the resource group of NetworkWatcher, such as NetworkWatcherRG. This is the resource group where the Network Watchers are located."
        },
        "defaultValue": "NetworkWatcherRG"
      },
      "effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: API App should only be accessible over HTTPS",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Remote debugging should be turned off for Web Applications",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities in security configuration on your machines should be remediated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e2c1c086-2d84-4019-bff3-c44ccd95113c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Function app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e3576e28-8b17-4677-84c3-db2990658d64": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled on accounts with read permissions on your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e8cbc669-f12d-49eb-93e7-9273119e9933": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities in container security configurations should be remediated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Remote debugging should be turned off for API Apps",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Deprecated accounts with owner permissions should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-ea53dbee-c6c9-4f0e-9f9e-de0039b78023": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Audit Linux machines that allow remote connections from accounts without passwords",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-efbde977-ba53-4479-b8e9-10b957924fbf": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: The Log Analytics agent should be installed on Virtual Machine Scale Sets",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Latest TLS version should be used in your Web App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e6955644-301c-44b5-a4c4-528577de6861": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Audit Linux machines that do not have the passwd file permissions set to 0644",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Internet-facing virtual machines should be protected with network security groups",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f8456c1c-aa66-4dfb-861a-25d127b775c9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with owner permissions should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f9d614c5-c173-4d56-95a7-b4437057d193": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Latest TLS version should be used in your Function App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-fb893a29-21bb-418c-a157-e99480ec364c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-feedbf84-6b99-488c-acc2-71c829aa5ffc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities on your SQL databases should be remediated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-3b980d31-7904-4bb7-8575-5665739a8052": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Security operations (Microsoft.Security/securitySolutions/delete)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "operationName-3b980d31-7904-4bb7-8575-5665739a8052": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Operation Name",
          "description": "Security Operation name for which activity log alert should exist",
          "deprecated": true
        },
        "allowedValues": [
          "Microsoft.Security/policies/write",
          "Microsoft.Security/securitySolutions/write",
          "Microsoft.Security/securitySolutions/delete"
        ],
        "defaultValue": []
      },
      "effect-6e2593d9-add6-4083-9c9b-4b7d2188c899": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Email notification for high severity alerts should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-383856f8-de7f-44a2-81fc-e5135b5c2aa4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in IoT Hub should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays-383856f8-de7f-44a2-81fc-e5135b5c2aa4": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for IoT Hub resource logs"
        },
        "defaultValue": "365"
      },
      "effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in App Services should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-12430be1-6cc8-4527-a9a8-e3d38f250096": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should use the specified mode for Application Gateway",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096": {
        "type": "String",
        "metadata": {
          "displayName": "Mode Requirement",
          "description": "Mode required for all WAF policies"
        },
        "allowedValues": [
          "Prevention",
          "Detection"
        ],
        "defaultValue": "Detection"
      },
      "effect-425bea59-a659-4cbb-8d31-34499bd030b8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8": {
        "type": "String",
        "metadata": {
          "displayName": "Mode Requirement",
          "description": "Mode required for all WAF policies"
        },
        "allowedValues": [
          "Prevention",
          "Detection"
        ],
        "defaultValue": "Detection"
      },
      "effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Application Gateway",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Azure Front Door Service",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-361c2074-3595-4e5d-8cab-4f21dffc835c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Deploy Advanced Threat Protection on Storage Accounts",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "effect-b5f04e03-92a3-4b09-9410-2cc5e5047656": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Deploy Advanced Threat Protection for Cosmos DB Accounts",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "effect-fc5e4038-4584-4632-8c85-c0448d374b2c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: All Internet traffic should be routed via your deployed Azure Firewall",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-013e242c-8828-4970-87b3-ab247555486d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Backup should be enabled for Virtual Machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-d38fc420-0735-4ef3-ac11-c806f651a570": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Long-term geo-redundant backup should be enabled for Azure SQL Databases",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-a1181c5f-672a-477a-979a-7d58aa086233": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Security Center standard pricing tier should be selected",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0e6763cc-5078-4e64-889d-ff4d9a839047": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Key Vault should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-2913021d-f2fd-4f3d-b958-22354e2bdbcb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for App Service should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Storage should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for servers should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-523b5cd1-3e23-492f-a539-13118b6d1e3a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Kubernetes should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-6581d072-105e-4418-827f-bd446d56421b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for SQL servers on machines should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Azure SQL Database servers should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for container registries should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Management ports of virtual machines should be protected with just-in-time network access control",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-037eea7a-bd0a-46c5-9a66-03aea78705d3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should restrict network access",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access should be disabled for Cognitive Services accounts",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: CORS should not allow every resource to access your Function Apps",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0fea8f8a-4169-495d-8307-30ec335f387d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: CORS should not allow every domain to access your API for FHIR",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: SSH access from the Internet should be blocked",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: CORS should not allow every resource to access your API App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "NetworkAccessRemotelyAccessibleRegistryPaths-3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Remotely accessible registry paths",
          "description": "Specifies which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"
      },
      "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths-3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Remotely accessible registry paths and sub-paths",
          "description": "Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"
      },
      "NetworkAccessSharesThatCanBeAccessedAnonymously-3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Shares that can be accessed anonymously",
          "description": "Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server."
        },
        "defaultValue": "0"
      },
      "effect-3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Windows machines should meet requirements for 'Security Options - Network Access'",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account public access should be disallowed",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: CORS should not allow every resource to access your Web Applications",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-5e1de0e3-42cb-4ebc-a86d-61d0c619ca48": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access should be disabled for PostgreSQL flexible servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Role-Based Access Control (RBAC) should be used on Kubernetes Services",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-b52376f7-9612-48a1-81cd-1ffe4b61032c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access should be disabled for PostgreSQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-c9299215-ae47-4f50-9c54-8a392f68a052": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access should be disabled for MySQL flexible servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-c9d007d0-c057-4772-b18c-01e546713bcd": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should allow access from trusted Microsoft services",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d0793b48-0edc-4296-a390-4c75d1bdfd71": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should not allow unrestricted network access",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d9844e8a-1437-4aeb-a32c-0c992f056095": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access should be disabled for MySQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-e372f825-a257-4fb8-9175-797a8a8627d6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: RDP access from the Internet should be blocked",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-fdccbe47-f3e3-4213-ad5d-ea459b2fa077": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access should be disabled for MariaDB servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Enforce SSL connection should be enabled for PostgreSQL database servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Enforce SSL connection should be enabled for MySQL database servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pods should only use approved host network and port range",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespaces excluded from evaluation of policy: Kubernetes cluster pods should only use approved host network and port range",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed host paths for pod hostPath volumes to use",
          "description": "The host paths allowed for pod hostPath volumes to use. Provide an empty paths list to block all host paths."
        },
        "defaultValue": [
          "{\"paths\":[]}"
        ]
      },
      "allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Allow host network usage for Kubernetes cluster pods",
          "description": "Set this value to true if pod is allowed to use host network otherwise false."
        },
        "defaultValue": false
      },
      "minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Integer",
        "metadata": {
          "displayName": "Minimum value in the allowable host port range that pods can use in the host network namespace",
          "description": "The minimum value in the allowable host port range that pods can use in the host network namespace."
        },
        "defaultValue": 0
      },
      "maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Integer",
        "metadata": {
          "displayName": "Maximum value in the allowable host port range that pods can use in the host network namespace",
          "description": "The maximum value in the allowable host port range that pods can use in the host network namespace."
        },
        "defaultValue": 0
      },
      "effect-55615ac9-af46-4a59-874e-391cc3dfb490": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Firewall should be enabled on Key Vault",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "UACAdminApprovalModeForTheBuiltinAdministratorAccount-492a29ed-d143-4f03-b6a4-705ce081b463": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Admin Approval Mode for the Built-in Administrator account",
          "description": "Specifies the behavior of Admin Approval Mode for the built-in Administrator account."
        },
        "defaultValue": "1"
      },
      "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode-492a29ed-d143-4f03-b6a4-705ce081b463": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode",
          "description": "Specifies the behavior of the elevation prompt for administrators."
        },
        "defaultValue": "2"
      },
      "UACDetectApplicationInstallationsAndPromptForElevation-492a29ed-d143-4f03-b6a4-705ce081b463": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Detect application installations and prompt for elevation",
          "description": "Specifies the behavior of application installation detection for the computer."
        },
        "defaultValue": "1"
      },
      "UACRunAllAdministratorsInAdminApprovalMode-492a29ed-d143-4f03-b6a4-705ce081b463": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Run all administrators in Admin Approval Mode",
          "description": "Specifies the behavior of all User Account Control (UAC) policy settings for the computer."
        },
        "defaultValue": "1"
      },
      "effect-492a29ed-d143-4f03-b6a4-705ce081b463": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Windows machines should meet requirements for 'Security Options - User Account Control'",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "UsersOrGroupsThatMayAccessThisComputerFromTheNetwork-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may log on locally",
          "description": "Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."
        },
        "defaultValue": "Administrators, Authenticated Users"
      },
      "UsersOrGroupsThatMayLogOnLocally-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may log on locally",
          "description": "Specifies which users or groups can interactively log on to the computer. Users who attempt to log on via Remote Desktop Connection or IIS also require this user right."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Remote Desktop Users",
          "description": "Users or groups that may log on through Remote Desktop Services"
        },
        "defaultValue": "Administrators"
      },
      "UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied access to this computer from the network",
          "description": "Specifies which users or groups are explicitly prohibited from connecting to the computer across the network."
        },
        "defaultValue": "Guests"
      },
      "UsersOrGroupsThatMayManageAuditingAndSecurityLog-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may manage auditing and security log",
          "description": "Specifies users and groups permitted to change the auditing options for files and directories and clear the Security log."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayBackUpFilesAndDirectories-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may back up files and directories",
          "description": "Specifies users and groups allowed to circumvent file and directory permissions to back up the system."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "UsersOrGroupsThatMayChangeTheSystemTime-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may change the system time",
          "description": "Specifies which users and groups are permitted to change the time and date on the internal clock of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "UsersOrGroupsThatMayChangeTheTimeZone-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may change the time zone",
          "description": "Specifies which users and groups are permitted to change the time zone of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "UsersOrGroupsThatMayCreateATokenObject-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may create a token object",
          "description": "Specifies which users and groups are permitted to create an access token, which may provide elevated rights to access sensitive data."
        },
        "defaultValue": "No One"
      },
      "UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied logging on as a batch job",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer as a batch job (i.e. scheduled task)."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLoggingOnAsAService-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied logging on as a service",
          "description": "Specifies which service accounts are explicitly not permitted to register a process as a service."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLocalLogon-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied local logon",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied log on through Remote Desktop Services",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer via Terminal Services/Remote Desktop Client."
        },
        "defaultValue": "Guests"
      },
      "UserAndGroupsThatMayForceShutdownFromARemoteSystem-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "User and groups that may force shutdown from a remote system",
          "description": "Specifies which users and groups are permitted to shut down the computer from a remote location on the network."
        },
        "defaultValue": "Administrators"
      },
      "UsersAndGroupsThatMayRestoreFilesAndDirectories-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that may restore files and directories",
          "description": "Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "UsersAndGroupsThatMayShutDownTheSystem-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that may shut down the system",
          "description": "Specifies which users and groups who are logged on locally to the computers in your environment are permitted to shut down the operating system with the Shut Down command."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may take ownership of files or other objects",
          "description": "Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user."
        },
        "defaultValue": "Administrators"
      },
      "effect-e068b215-0026-4354-b347-8fb2766f73a2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Windows machines should meet requirements for 'User Rights Assignment'",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-87845465-c458-45f3-af66-dcd62176f397": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Windows machines should meet requirements for 'System Audit Policies - Privilege Use'",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Audit usage of custom RBAC rules",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-b954148f-4c11-4c38-8221-be76711e194a": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Effect for policy: An activity log alert should exist for specific Administrative operations",
          "description": "For more information about effects, visit https://aka.ms/policyeffects",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "operationName-b954148f-4c11-4c38-8221-be76711e194a": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Operation Name",
          "description": "Administrative Operation name for which activity log alert should be configured",
          "deprecated": true
        },
        "allowedValues": [
          "Microsoft.Sql/servers/firewallRules/write",
          "Microsoft.Sql/servers/firewallRules/delete",
          "Microsoft.Network/networkSecurityGroups/write",
          "Microsoft.Network/networkSecurityGroups/delete",
          "Microsoft.ClassicNetwork/networkSecurityGroups/write",
          "Microsoft.ClassicNetwork/networkSecurityGroups/delete",
          "Microsoft.Network/networkSecurityGroups/securityRules/write",
          "Microsoft.Network/networkSecurityGroups/securityRules/delete",
          "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write",
          "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"
        ],
        "defaultValue": []
      },
      "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Sql/servers/firewallRules/delete)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Network/networkSecurityGroups/delete)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.ClassicNetwork/networkSecurityGroups/delete)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Network/networkSecurityGroups/securityRules/delete)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-ae89ebca-1c92-4898-ac2c-9f63decb045c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Virtual machines should have the Guest Configuration extension",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Guest Configuration extension should be deployed to Azure virtual machines with system assigned managed identity",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7796937f-307b-4598-941c-67d3a05ebfe7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure subscriptions should have a log profile for Activity Log",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Policy operations (Microsoft.Authorization/policyAssignments/delete)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "operationName-c5447c04-a4d7-4ba8-a263-c9ee321a6858": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Operation Name",
          "description": "Policy Operation name for which activity log alert should exist",
          "deprecated": true
        },
        "allowedValues": [
          "Microsoft.Authorization/policyAssignments/write",
          "Microsoft.Authorization/policyAssignments/delete"
        ],
        "defaultValue": []
      },
      "effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Monitor should collect activity logs from all regions",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b02aacc0-b073-424e-8298-42b22829ee0a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Activity log should be retained for at least one year",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "TimeZone-c633f6a2-7f8b-4d9e-9456-02f0f04f5505": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Time zone",
          "description": "The expected time zone",
          "deprecated": true
        },
        "allowedValues": [],
        "defaultValue": []
      },
      "effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0ec47710-77ff-4a3d-9181-6aa50af424d0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for MariaDB",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-48af4db5-9b8b-401c-8e74-076be876a430": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for PostgreSQL",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-82339799-d096-41ae-8538-b108becf0970": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for MySQL",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability assessment should be enabled on SQL Managed Instance",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-501541f7-f7e7-4cd6-868c-4190fdad3ac9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: A vulnerability assessment solution should be enabled on your virtual machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-5f0f936f-2f01-4bf5-b6be-d423792fa562": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities in Azure Container Registry images should be remediated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability assessment should be enabled on your SQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-bb91dfba-c30d-4263-9add-9c2384e659a6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Non-internet-facing virtual machines should be protected with network security groups",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e71308d3-144b-4262-b144-efdc3cc90517": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Subnets should be associated with a Network Security Group",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "allowedKeyTypes-75c4f823-d65c-4f29-a733-01d0077fdbcb": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed key types",
          "description": "The list of allowed key types"
        },
        "allowedValues": [
          "RSA",
          "RSA-HSM",
          "EC",
          "EC-HSM"
        ],
        "defaultValue": [
          "RSA",
          "RSA-HSM",
          "EC",
          "EC-HSM"
        ]
      },
      "effect-75c4f823-d65c-4f29-a733-01d0077fdbcb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Keys should be the specified cryptographic type RSA or EC",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "minimumRSAKeySize-82067dbb-e53b-4e06-b631-546d197452d9": {
        "type": "Integer",
        "metadata": {
          "displayName": "Minimum RSA key size for keys",
          "description": "The minimum key size for RSA keys."
        },
        "allowedValues": [
          2048,
          3072,
          4096
        ],
        "defaultValue": 2048
      },
      "effect-82067dbb-e53b-4e06-b631-546d197452d9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Keys using RSA cryptography should have a specified minimum key size",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "minimumRSAKeySize-cee51871-e572-4576-855c-047c820360f0": {
        "type": "Integer",
        "metadata": {
          "displayName": "Minimum RSA key size certificates",
          "description": "The minimum key size for RSA certificates."
        },
        "allowedValues": [
          2048,
          3072,
          4096
        ],
        "defaultValue": 2048
      },
      "effect-cee51871-e572-4576-855c-047c820360f0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Certificates using RSA cryptography should have the specified minimum key size",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedECNames-ff25f3c8-b739-4538-9d07-3d6d25cfb255": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed elliptic curve names",
          "description": "The list of allowed curve names for elliptic curve cryptography certificates."
        },
        "allowedValues": [
          "P-256",
          "P-256K",
          "P-384",
          "P-521"
        ],
        "defaultValue": [
          "P-256",
          "P-256K",
          "P-384",
          "P-521"
        ]
      },
      "effect-ff25f3c8-b739-4538-9d07-3d6d25cfb255": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Keys using elliptic curve cryptography should have the specified curve names",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-24fba194-95d6-48c0-aea7-f65bf859c598": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Effect for policy: Cognitive Services accounts should enable data encryption",
          "description": "For more information about effects, visit https://aka.ms/policyeffects",
          "deprecated": true
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "effect-3a58212a-c829-4f13-9872-6371df2fd0b4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Infrastructure encryption should be enabled for Azure Database for MySQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should have infrastructure encryption",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should enable data encryption with customer-managed key",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-6fac406b-40ca-413b-bf8e-0bf964659c25": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account should use customer-managed key for encryption",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-81e74cea-30fd-40d5-802f-d72103c2aaaa": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Data Explorer encryption at rest should use a customer-managed key",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-c349d81b-9985-44ae-a8da-ff98d108ede8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Data Box jobs should enable double encryption for data at rest on the device",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "supportedSKUs-c349d81b-9985-44ae-a8da-ff98d108ede8": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Data Box SKUs that support software-based double encryption",
          "description": "The list of Azure Data Box SKUs that support software-based double encryption"
        },
        "allowedValues": [
          "DataBox",
          "DataBoxHeavy"
        ],
        "defaultValue": [
          "DataBox",
          "DataBoxHeavy"
        ]
      },
      "effect-f4b53539-8df9-40e4-86c6-6b607703bd4e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Disk encryption should be enabled on Azure Data Explorer",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Double encryption should be enabled on Azure Data Explorer",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-048248b0-55cd-46da-b1ff-39efd52db260": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: SQL managed instances should use customer-managed keys to encrypt data at rest",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-051cba44-2429-45b9-9649-46cec11c7119": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure API for FHIR should use a customer-managed key to encrypt data at rest",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: SQL servers should use customer-managed keys to encrypt data at rest",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Unattached disks should be encrypted",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-3657f5a0-770e-44a3-b44e-9431ba1e9735": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Automation account variables should be encrypted",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should be encrypted with a customer-managed key",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-617c02be-7f02-4efd-8836-3180d47b6c68": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Stream Analytics jobs should use customer-managed keys to encrypt data",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-f7d52b2d-e161-4dfa-a82b-55e564167385": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Synapse workspaces should use customer-managed keys to encrypt data at rest",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Microsoft Antimalware for Azure should be configured to automatically update protection signatures",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Keys should have expiration dates set",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key vault should have purge protection enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key vault should have soft delete enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1f314764-cb73-4fc9-b863-8eca98ac36e9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An Azure Active Directory administrator should be provisioned for SQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-123a3936-f020-408a-ba0c-47873faf1534": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Allowlist rules in your adaptive application control policy should be updated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-fc9b3da7-8347-4380-8e70-0a0361d8dedd": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Linux machines should meet requirements for the Azure compute security baseline",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "AuditAuthenticationPolicyChange-2a7a701e-dff3-4da9-9ec5-42cb98594c0b": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Authentication Policy Change",
          "description": "Specifies whether audit events are generated when changes are made to authentication policy. This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success"
      },
      "AuditAuthorizationPolicyChange-2a7a701e-dff3-4da9-9ec5-42cb98594c0b": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Authorization Policy Change",
          "description": "Specifies whether audit events are generated for assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "effect-2a7a701e-dff3-4da9-9ec5-42cb98594c0b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Windows machines should meet requirements for 'System Audit Policies - Policy Change'",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MembersToExclude": {
            "value": "[parameters('MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.3.017",
          "CMMC_L3_SC.3.181"
        ]
      },
      {
        "policyDefinitionReferenceId": "30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MembersToInclude": {
            "value": "[parameters('MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.3.017"
        ]
      },
      {
        "policyDefinitionReferenceId": "f47b5582-33ec-4c5c-87c0-b010a6b2e917",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917",
        "parameters": {
          "logAnalyticsWorkspaceId": {
            "value": "[parameters('logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_AU.3.046",
          "CMMC_L3_AU.3.048"
        ]
      },
      {
        "policyDefinitionReferenceId": "08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-08e6af2d-db70-460a-bfe9-d5bd474ba9d6')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.003",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.1.176",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.3.017",
          "CMMC_L3_SC.3.181"
        ]
      },
      {
        "policyDefinitionReferenceId": "0961003e-5a0a-4549-abde-af6a37f2724d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0961003e-5a0a-4549-abde-af6a37f2724d')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.191"
        ]
      },
      {
        "policyDefinitionReferenceId": "0b15565f-aa9e-48ba-8619-45960f2c314d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0b15565f-aa9e-48ba-8619-45960f2c314d')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IR.2.092",
          "CMMC_L3_SI.2.216",
          "CMMC_L3_SI.2.217"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.2.013",
          "CMMC_L3_CM.3.068"
        ]
      },
      {
        "policyDefinitionReferenceId": "17k78e20-9358-41c9-923c-fb736d382a12",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-17k78e20-9358-41c9-923c-fb736d382a12')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.191"
        ]
      },
      {
        "policyDefinitionReferenceId": "1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba')]"
          },
          "PHPLatestVersion": {
            "value": "[parameters('PHPLatestVersion')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.002",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.185"
        ]
      },
      {
        "policyDefinitionReferenceId": "3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "parameters": {},
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.2.013",
          "CMMC_L3_AC.3.021",
          "CMMC_L3_IA.1.077",
          "CMMC_L3_IA.2.078",
          "CMMC_L3_IA.2.079",
          "CMMC_L3_IA.2.081"
        ]
      },
      {
        "policyDefinitionReferenceId": "497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "parameters": {},
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.2.013",
          "CMMC_L3_AC.3.021",
          "CMMC_L3_IA.1.077",
          "CMMC_L3_IA.2.078",
          "CMMC_L3_IA.2.079",
          "CMMC_L3_IA.2.081"
        ]
      },
      {
        "policyDefinitionReferenceId": "385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {},
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.2.013",
          "CMMC_L3_AC.3.021",
          "CMMC_L3_IA.1.077",
          "CMMC_L3_IA.2.078",
          "CMMC_L3_IA.2.079",
          "CMMC_L3_IA.2.081"
        ]
      },
      {
        "policyDefinitionReferenceId": "1221c620-d201-468c-81e7-2817e6107e84",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1221c620-d201-468c-81e7-2817e6107e84",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "NetworkSecurityConfigureEncryptionTypesAllowedForKerberos": {
            "value": "[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos-1221c620-d201-468c-81e7-2817e6107e84')]"
          },
          "NetworkSecurityLANManagerAuthenticationLevel": {
            "value": "[parameters('NetworkSecurityLANManagerAuthenticationLevel-1221c620-d201-468c-81e7-2817e6107e84')]"
          },
          "NetworkSecurityLDAPClientSigningRequirements": {
            "value": "[parameters('NetworkSecurityLDAPClientSigningRequirements-1221c620-d201-468c-81e7-2817e6107e84')]"
          },
          "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients": {
            "value": "[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients-1221c620-d201-468c-81e7-2817e6107e84')]"
          },
          "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers": {
            "value": "[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers-1221c620-d201-468c-81e7-2817e6107e84')]"
          },
          "effect": {
            "value": "[parameters('effect-1221c620-d201-468c-81e7-2817e6107e84')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.2.013",
          "CMMC_L3_CM.2.064",
          "CMMC_L3_IA.1.077",
          "CMMC_L3_IA.2.078",
          "CMMC_L3_IA.2.079",
          "CMMC_L3_IA.2.081",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "effect": {
            "value": "[parameters('effect-a2d0e922-65d0-40c4-8f87-ea6da2d307a2')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IA.2.078"
        ]
      },
      {
        "policyDefinitionReferenceId": "26a828e1-e88f-464e-bbb3-c134a282b9de",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-26a828e1-e88f-464e-bbb3-c134a282b9de')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CA.2.158",
          "CMMC_L3_CA.3.161",
          "CMMC_L3_SI.1.211"
        ]
      },
      {
        "policyDefinitionReferenceId": "32133ab0-ee4b-4b44-98d6-042180979d50",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50",
        "parameters": {
          "listOfImageIdToInclude_windows": {
            "value": "[parameters('listOfImageIdToInclude_windows')]"
          },
          "listOfImageIdToInclude_linux": {
            "value": "[parameters('listOfImageIdToInclude_linux')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_AU.3.046",
          "CMMC_L3_AU.3.048"
        ]
      },
      {
        "policyDefinitionReferenceId": "f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "effect": {
            "value": "[parameters('effect-f6ec09a3-78bf-4f8f-99dc-6c77182d0f99')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IA.1.077",
          "CMMC_L3_IA.2.078"
        ]
      },
      {
        "policyDefinitionReferenceId": "34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-34c877ad-507e-4c82-993e-3452a6e0ad3c')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.013",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.1.176",
          "CMMC_L3_SC.3.183",
          "CMMC_L3_SC.3.185",
          "CMMC_L3_SC.3.191"
        ]
      },
      {
        "policyDefinitionReferenceId": "3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4')]"
          }
        },
        "groupNames": [
          "CMMC_L3_RM.2.143",
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "404c3081-a854-4457-ae30-26a93ef643f9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-404c3081-a854-4457-ae30-26a93ef643f9')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.002",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.185"
        ]
      },
      {
        "policyDefinitionReferenceId": "47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-47a6b606-51aa-4496-8bb7-64b11cf66adc')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CA.2.158",
          "CMMC_L3_CA.3.161",
          "CMMC_L3_CM.2.061",
          "CMMC_L3_CM.2.063",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_CM.3.069"
        ]
      },
      {
        "policyDefinitionReferenceId": "496223c3-ad65-4ecd-878a-bae78737e9ed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-496223c3-ad65-4ecd-878a-bae78737e9ed')]"
          },
          "JavaLatestVersion": {
            "value": "[parameters('JavaLatestVersion')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4f11b553-d42e-4e3a-89be-32ca364cad4c')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.3.017",
          "CMMC_L3_SC.3.181"
        ]
      },
      {
        "policyDefinitionReferenceId": "4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IR.2.092",
          "CMMC_L3_SI.2.216"
        ]
      },
      {
        "policyDefinitionReferenceId": "5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138",
        "parameters": {
          "listOfImageIdToInclude_windows": {
            "value": "[parameters('listOfImageIdToInclude_windows')]"
          },
          "listOfImageIdToInclude_linux": {
            "value": "[parameters('listOfImageIdToInclude_linux')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_AU.3.046",
          "CMMC_L3_AU.3.048"
        ]
      },
      {
        "policyDefinitionReferenceId": "5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.2.007"
        ]
      },
      {
        "policyDefinitionReferenceId": "5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.2.007"
        ]
      },
      {
        "policyDefinitionReferenceId": "6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001"
        ]
      },
      {
        "policyDefinitionReferenceId": "6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.002",
          "CMMC_L3_IA.3.084",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.185",
          "CMMC_L3_SC.3.190"
        ]
      },
      {
        "policyDefinitionReferenceId": "7008174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7008174a-fd10-4ef0-817e-fc820a951d73')]"
          },
          "LinuxPythonLatestVersion": {
            "value": "[parameters('LinuxPythonLatestVersion')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "7238174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7238174a-fd10-4ef0-817e-fc820a951d73')]"
          },
          "LinuxPythonLatestVersion": {
            "value": "[parameters('LinuxPythonLatestVersion')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "7261b898-8a84-4db8-9e04-18527132abb3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7261b898-8a84-4db8-9e04-18527132abb3')]"
          },
          "PHPLatestVersion": {
            "value": "[parameters('PHPLatestVersion')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "effect": {
            "value": "[parameters('effect-5b054a0d-39e2-4d53-bea3-9734cad2c69b')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IA.2.079"
        ]
      },
      {
        "policyDefinitionReferenceId": "74c3584d-afae-46f7-a20a-6f8adba71a16",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-74c3584d-afae-46f7-a20a-6f8adba71a16')]"
          },
          "LinuxPythonLatestVersion": {
            "value": "[parameters('LinuxPythonLatestVersion')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "effect": {
            "value": "[parameters('effect-bf16e0bb-31e1-4646-8202-60a235cc7e74')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IA.2.078"
        ]
      },
      {
        "policyDefinitionReferenceId": "7f89b1eb-583c-429a-8828-af049802c1d9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
        "parameters": {
          "listOfResourceTypes": {
            "value": "[parameters('listOfResourceTypes-7f89b1eb-583c-429a-8828-af049802c1d9')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_AU.3.046",
          "CMMC_L3_AU.3.048",
          "CMMC_L3_AU.3.049"
        ]
      },
      {
        "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-86b3d65f-7626-441e-b690-81a8b71cff60')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "88999f4c-376a-45c8-bcb3-4058f713cf39",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-88999f4c-376a-45c8-bcb3-4058f713cf39')]"
          },
          "JavaLatestVersion": {
            "value": "[parameters('JavaLatestVersion')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "8c122334-9d20-4eb8-89ea-ac9a705b74ae",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IA.3.084",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.185",
          "CMMC_L3_SC.3.190",
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "da0f98fe-a24b-4ad5-af69-bd0400233661",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da0f98fe-a24b-4ad5-af69-bd0400233661",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "effect": {
            "value": "[parameters('effect-da0f98fe-a24b-4ad5-af69-bd0400233661')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IA.2.081",
          "CMMC_L3_SC.3.177"
        ]
      },
      {
        "policyDefinitionReferenceId": "9297c21d-2ed6-4474-b48f-163f75654ce3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9297c21d-2ed6-4474-b48f-163f75654ce3')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IA.1.077",
          "CMMC_L3_IA.3.083",
          "CMMC_L3_IA.3.084",
          "CMMC_L3_SC.3.190"
        ]
      },
      {
        "policyDefinitionReferenceId": "991310cd-e9f3-47bc-b7b6-f57b557d07db",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-991310cd-e9f3-47bc-b7b6-f57b557d07db')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "9b597639-28e4-48eb-b506-56b05d366257",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9b597639-28e4-48eb-b506-56b05d366257')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SI.1.211",
          "CMMC_L3_SI.1.213"
        ]
      },
      {
        "policyDefinitionReferenceId": "9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc')]"
          },
          "JavaLatestVersion": {
            "value": "[parameters('JavaLatestVersion')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "9daedab3-fb2d-461e-b861-71790eead4f6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9daedab3-fb2d-461e-b861-71790eead4f6')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CM.2.064",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.1.176",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "a4af4a39-4135-47fb-b175-47fbdf85311d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a4af4a39-4135-47fb-b175-47fbdf85311d')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.002",
          "CMMC_L3_IA.3.084",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.185",
          "CMMC_L3_SC.3.190"
        ]
      },
      {
        "policyDefinitionReferenceId": "a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9')]"
          },
          "setting": {
            "value": "[parameters('setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_AU.3.046",
          "CMMC_L3_CA.2.158",
          "CMMC_L3_CA.3.161"
        ]
      },
      {
        "policyDefinitionReferenceId": "a70ca396-0a34-413a-88e1-b956c1e683be",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a70ca396-0a34-413a-88e1-b956c1e683be')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_AU.3.048"
        ]
      },
      {
        "policyDefinitionReferenceId": "aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-aa633080-8b72-40c4-a2d7-d00c03e80bed')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IA.1.077",
          "CMMC_L3_IA.3.083",
          "CMMC_L3_IA.3.084",
          "CMMC_L3_SC.3.190"
        ]
      },
      {
        "policyDefinitionReferenceId": "abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_AU.3.046",
          "CMMC_L3_CM.2.064",
          "CMMC_L3_RM.2.141",
          "CMMC_L3_RM.2.142",
          "CMMC_L3_RM.2.143",
          "CMMC_L3_SC.3.191",
          "CMMC_L3_SI.2.216",
          "CMMC_L3_SI.2.217"
        ]
      },
      {
        "policyDefinitionReferenceId": "abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_AU.3.046",
          "CMMC_L3_CM.2.064",
          "CMMC_L3_RM.2.141",
          "CMMC_L3_RM.2.142",
          "CMMC_L3_RM.2.143",
          "CMMC_L3_SC.3.191",
          "CMMC_L3_SI.2.216",
          "CMMC_L3_SI.2.217"
        ]
      },
      {
        "policyDefinitionReferenceId": "af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-af6cd1bd-1635-48cb-bde7-5b15693900b9')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CA.2.158",
          "CMMC_L3_CA.3.161",
          "CMMC_L3_IR.2.093",
          "CMMC_L3_SI.1.211",
          "CMMC_L3_SI.1.213"
        ]
      },
      {
        "policyDefinitionReferenceId": "5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MinimumTLSVersion": {
            "value": "[parameters('MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.002",
          "CMMC_L3_IA.3.084",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.185",
          "CMMC_L3_SC.3.190"
        ]
      },
      {
        "policyDefinitionReferenceId": "b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "parameters": {
          "resourceGroupName": {
            "value": "[parameters('resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.2.013",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183",
          "CMMC_L3_SI.2.216",
          "CMMC_L3_SI.2.217"
        ]
      },
      {
        "policyDefinitionReferenceId": "b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.002",
          "CMMC_L3_IA.3.084",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.185",
          "CMMC_L3_SC.3.190"
        ]
      },
      {
        "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.2.013",
          "CMMC_L3_CM.3.068"
        ]
      },
      {
        "policyDefinitionReferenceId": "e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15')]"
          }
        },
        "groupNames": [
          "CMMC_L3_RM.2.143",
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "e2c1c086-2d84-4019-bff3-c44ccd95113c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e2c1c086-2d84-4019-bff3-c44ccd95113c')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "e3576e28-8b17-4677-84c3-db2990658d64",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e3576e28-8b17-4677-84c3-db2990658d64')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IA.1.077",
          "CMMC_L3_IA.3.083",
          "CMMC_L3_IA.3.084",
          "CMMC_L3_SC.3.190"
        ]
      },
      {
        "policyDefinitionReferenceId": "e8cbc669-f12d-49eb-93e7-9273119e9933",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e8cbc669-f12d-49eb-93e7-9273119e9933')]"
          }
        },
        "groupNames": [
          "CMMC_L3_RM.2.143"
        ]
      },
      {
        "policyDefinitionReferenceId": "e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.2.013",
          "CMMC_L3_CM.3.068"
        ]
      },
      {
        "policyDefinitionReferenceId": "ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_SC.3.181"
        ]
      },
      {
        "policyDefinitionReferenceId": "ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "effect": {
            "value": "[parameters('effect-ea53dbee-c6c9-4f0e-9f9e-de0039b78023')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.013"
        ]
      },
      {
        "policyDefinitionReferenceId": "efbde977-ba53-4479-b8e9-10b957924fbf",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-efbde977-ba53-4479-b8e9-10b957924fbf')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_AU.3.048"
        ]
      },
      {
        "policyDefinitionReferenceId": "f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IA.3.084",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.185",
          "CMMC_L3_SC.3.190",
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "e6955644-301c-44b5-a4c4-528577de6861",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "effect": {
            "value": "[parameters('effect-e6955644-301c-44b5-a4c4-528577de6861')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IA.1.077"
        ]
      },
      {
        "policyDefinitionReferenceId": "f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.003",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.1.176",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f8456c1c-aa66-4dfb-861a-25d127b775c9')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_SC.3.181"
        ]
      },
      {
        "policyDefinitionReferenceId": "f9d614c5-c173-4d56-95a7-b4437057d193",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f9d614c5-c173-4d56-95a7-b4437057d193')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IA.3.084",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.185",
          "CMMC_L3_SC.3.190",
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "fb893a29-21bb-418c-a157-e99480ec364c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fb893a29-21bb-418c-a157-e99480ec364c')]"
          }
        },
        "groupNames": [
          "CMMC_L3_RM.2.143",
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-feedbf84-6b99-488c-acc2-71c829aa5ffc')]"
          }
        },
        "groupNames": [
          "CMMC_L3_RM.2.143",
          "CMMC_L3_SI.1.210"
        ]
      },
      {
        "policyDefinitionReferenceId": "3b980d31-7904-4bb7-8575-5665739a8052",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3b980d31-7904-4bb7-8575-5665739a8052')]"
          },
          "operationName": {
            "value": "Microsoft.Security/securitySolutions/delete"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.3.021",
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_CA.2.158",
          "CMMC_L3_CA.3.161",
          "CMMC_L3_CM.2.065",
          "CMMC_L3_IR.2.093",
          "CMMC_L3_SI.2.216",
          "CMMC_L3_SI.2.217"
        ]
      },
      {
        "policyDefinitionReferenceId": "6e2593d9-add6-4083-9c9b-4b7d2188c899",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6e2593d9-add6-4083-9c9b-4b7d2188c899')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IR.2.092",
          "CMMC_L3_IR.2.093"
        ]
      },
      {
        "policyDefinitionReferenceId": "c251913d-7d24-4958-af87-478ed3b9ba41",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c251913d-7d24-4958-af87-478ed3b9ba41",
        "parameters": {},
        "groupNames": [
          "CMMC_L3_IR.2.093",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183",
          "CMMC_L3_SI.2.216"
        ]
      },
      {
        "policyDefinitionReferenceId": "383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-383856f8-de7f-44a2-81fc-e5135b5c2aa4')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays-383856f8-de7f-44a2-81fc-e5135b5c2aa4')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.3.048"
        ]
      },
      {
        "policyDefinitionReferenceId": "b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.3.048"
        ]
      },
      {
        "policyDefinitionReferenceId": "12430be1-6cc8-4527-a9a8-e3d38f250096",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-12430be1-6cc8-4527-a9a8-e3d38f250096')]"
          },
          "modeRequirement": {
            "value": "[parameters('modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CM.2.064",
          "CMMC_L3_IR.2.093",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183",
          "CMMC_L3_SI.2.216"
        ]
      },
      {
        "policyDefinitionReferenceId": "425bea59-a659-4cbb-8d31-34499bd030b8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-425bea59-a659-4cbb-8d31-34499bd030b8')]"
          },
          "modeRequirement": {
            "value": "[parameters('modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CM.2.064",
          "CMMC_L3_IR.2.093",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183",
          "CMMC_L3_SI.2.216"
        ]
      },
      {
        "policyDefinitionReferenceId": "564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CM.2.064",
          "CMMC_L3_IR.2.093",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183",
          "CMMC_L3_SI.2.216"
        ]
      },
      {
        "policyDefinitionReferenceId": "055aa869-bc98-4af8-bafc-23f1ab6ffe2c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CM.2.064",
          "CMMC_L3_IR.2.093",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183",
          "CMMC_L3_SI.2.216"
        ]
      },
      {
        "policyDefinitionReferenceId": "361c2074-3595-4e5d-8cab-4f21dffc835c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-361c2074-3595-4e5d-8cab-4f21dffc835c')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IR.2.093"
        ]
      },
      {
        "policyDefinitionReferenceId": "b5f04e03-92a3-4b09-9410-2cc5e5047656",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b5f04e03-92a3-4b09-9410-2cc5e5047656')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IR.2.093"
        ]
      },
      {
        "policyDefinitionReferenceId": "fc5e4038-4584-4632-8c85-c0448d374b2c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fc5e4038-4584-4632-8c85-c0448d374b2c')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.003",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.2.064",
          "CMMC_L3_IR.2.093",
          "CMMC_L3_SC.3.183",
          "CMMC_L3_SI.2.216"
        ]
      },
      {
        "policyDefinitionReferenceId": "013e242c-8828-4970-87b3-ab247555486d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-013e242c-8828-4970-87b3-ab247555486d')]"
          }
        },
        "groupNames": [
          "CMMC_L3_RE.2.137",
          "CMMC_L3_RE.3.139"
        ]
      },
      {
        "policyDefinitionReferenceId": "d38fc420-0735-4ef3-ac11-c806f651a570",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d38fc420-0735-4ef3-ac11-c806f651a570')]"
          }
        },
        "groupNames": [
          "CMMC_L3_RE.2.137",
          "CMMC_L3_RE.3.139"
        ]
      },
      {
        "policyDefinitionReferenceId": "0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "parameters": {},
        "groupNames": [
          "CMMC_L3_RE.2.137",
          "CMMC_L3_RE.3.139"
        ]
      },
      {
        "policyDefinitionReferenceId": "a1181c5f-672a-477a-979a-7d58aa086233",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a1181c5f-672a-477a-979a-7d58aa086233')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CA.2.158",
          "CMMC_L3_CA.3.161",
          "CMMC_L3_CM.2.063",
          "CMMC_L3_RM.2.141",
          "CMMC_L3_RM.2.142",
          "CMMC_L3_RM.2.143",
          "CMMC_L3_RM.3.144"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e6763cc-5078-4e64-889d-ff4d9a839047",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0e6763cc-5078-4e64-889d-ff4d9a839047')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IR.2.093",
          "CMMC_L3_RM.2.141",
          "CMMC_L3_RM.2.142",
          "CMMC_L3_RM.2.143",
          "CMMC_L3_RM.3.144",
          "CMMC_L3_SC.3.187",
          "CMMC_L3_SI.1.213",
          "CMMC_L3_SI.2.216"
        ]
      },
      {
        "policyDefinitionReferenceId": "2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2913021d-f2fd-4f3d-b958-22354e2bdbcb')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IR.2.093",
          "CMMC_L3_RM.2.141",
          "CMMC_L3_RM.2.142",
          "CMMC_L3_RM.2.143",
          "CMMC_L3_RM.3.144",
          "CMMC_L3_SI.1.213",
          "CMMC_L3_SI.2.216"
        ]
      },
      {
        "policyDefinitionReferenceId": "308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IR.2.093",
          "CMMC_L3_RM.2.141",
          "CMMC_L3_RM.2.142",
          "CMMC_L3_RM.2.143",
          "CMMC_L3_RM.3.144",
          "CMMC_L3_SI.1.213",
          "CMMC_L3_SI.2.216"
        ]
      },
      {
        "policyDefinitionReferenceId": "4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IR.2.093",
          "CMMC_L3_RM.2.141",
          "CMMC_L3_RM.2.142",
          "CMMC_L3_RM.2.143",
          "CMMC_L3_RM.3.144",
          "CMMC_L3_SI.1.213",
          "CMMC_L3_SI.2.216"
        ]
      },
      {
        "policyDefinitionReferenceId": "523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-523b5cd1-3e23-492f-a539-13118b6d1e3a')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IR.2.093",
          "CMMC_L3_RM.2.141",
          "CMMC_L3_RM.2.142",
          "CMMC_L3_RM.2.143",
          "CMMC_L3_RM.3.144",
          "CMMC_L3_SI.1.213",
          "CMMC_L3_SI.2.216"
        ]
      },
      {
        "policyDefinitionReferenceId": "6581d072-105e-4418-827f-bd446d56421b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6581d072-105e-4418-827f-bd446d56421b')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IR.2.093",
          "CMMC_L3_RM.2.141",
          "CMMC_L3_RM.2.142",
          "CMMC_L3_RM.2.143",
          "CMMC_L3_RM.3.144",
          "CMMC_L3_SI.1.213",
          "CMMC_L3_SI.2.216"
        ]
      },
      {
        "policyDefinitionReferenceId": "7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IR.2.093",
          "CMMC_L3_RM.2.141",
          "CMMC_L3_RM.2.142",
          "CMMC_L3_RM.2.143",
          "CMMC_L3_RM.3.144",
          "CMMC_L3_SI.1.213",
          "CMMC_L3_SI.2.216"
        ]
      },
      {
        "policyDefinitionReferenceId": "c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IR.2.093",
          "CMMC_L3_RM.2.141",
          "CMMC_L3_RM.2.142",
          "CMMC_L3_RM.2.143",
          "CMMC_L3_RM.3.144",
          "CMMC_L3_SI.1.213",
          "CMMC_L3_SI.2.216"
        ]
      },
      {
        "policyDefinitionReferenceId": "b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.007",
          "CMMC_L3_AC.2.013",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.2.179",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "037eea7a-bd0a-46c5-9a66-03aea78705d3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-037eea7a-bd0a-46c5-9a66-03aea78705d3')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "0fea8f8a-4169-495d-8307-30ec335f387d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fea8f8a-4169-495d-8307-30ec335f387d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0fea8f8a-4169-495d-8307-30ec335f387d')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "1b8ca024-1d5c-4dec-8995-b1a932b41780",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780",
        "parameters": {},
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "2c89a2e5-7285-40fe-afe0-ae8654b92fab",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.1.003"
        ]
      },
      {
        "policyDefinitionReferenceId": "358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "NetworkAccessRemotelyAccessibleRegistryPaths": {
            "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPaths-3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd')]"
          },
          "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
            "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths-3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd')]"
          },
          "NetworkAccessSharesThatCanBeAccessedAnonymously": {
            "value": "[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously-3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd')]"
          },
          "effect": {
            "value": "[parameters('effect-3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "5e1de0e3-42cb-4ebc-a86d-61d0c619ca48",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5e1de0e3-42cb-4ebc-a86d-61d0c619ca48')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.007",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.2.062"
        ]
      },
      {
        "policyDefinitionReferenceId": "b52376f7-9612-48a1-81cd-1ffe4b61032c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b52376f7-9612-48a1-81cd-1ffe4b61032c')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "c9299215-ae47-4f50-9c54-8a392f68a052",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c9299215-ae47-4f50-9c54-8a392f68a052')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "c9d007d0-c057-4772-b18c-01e546713bcd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c9d007d0-c057-4772-b18c-01e546713bcd')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "d0793b48-0edc-4296-a390-4c75d1bdfd71",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d0793b48-0edc-4296-a390-4c75d1bdfd71')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "d9844e8a-1437-4aeb-a32c-0c992f056095",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d9844e8a-1437-4aeb-a32c-0c992f056095')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "e372f825-a257-4fb8-9175-797a8a8627d6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e372f825-a257-4fb8-9175-797a8a8627d6')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.1.003",
          "CMMC_L3_AC.2.015",
          "CMMC_L3_AC.2.016"
        ]
      },
      {
        "policyDefinitionReferenceId": "fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fdccbe47-f3e3-4213-ad5d-ea459b2fa077')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_AC.2.016",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.002",
          "CMMC_L3_SC.3.185",
          "CMMC_L3_SC.3.190"
        ]
      },
      {
        "policyDefinitionReferenceId": "e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.002",
          "CMMC_L3_SC.3.185",
          "CMMC_L3_SC.3.190"
        ]
      },
      {
        "policyDefinitionReferenceId": "82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "allowHostNetwork": {
            "value": "[parameters('allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "minPort": {
            "value": "[parameters('minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "maxPort": {
            "value": "[parameters('maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "55615ac9-af46-4a59-874e-391cc3dfb490",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-55615ac9-af46-4a59-874e-391cc3dfb490')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.1.001",
          "CMMC_L3_AC.1.002",
          "CMMC_L3_CM.2.064",
          "CMMC_L3_IR.2.093",
          "CMMC_L3_SC.3.183",
          "CMMC_L3_SC.3.187"
        ]
      },
      {
        "policyDefinitionReferenceId": "492a29ed-d143-4f03-b6a4-705ce081b463",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/492a29ed-d143-4f03-b6a4-705ce081b463",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "UACAdminApprovalModeForTheBuiltinAdministratorAccount": {
            "value": "[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount-492a29ed-d143-4f03-b6a4-705ce081b463')]"
          },
          "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": {
            "value": "[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode-492a29ed-d143-4f03-b6a4-705ce081b463')]"
          },
          "UACDetectApplicationInstallationsAndPromptForElevation": {
            "value": "[parameters('UACDetectApplicationInstallationsAndPromptForElevation-492a29ed-d143-4f03-b6a4-705ce081b463')]"
          },
          "UACRunAllAdministratorsInAdminApprovalMode": {
            "value": "[parameters('UACRunAllAdministratorsInAdminApprovalMode-492a29ed-d143-4f03-b6a4-705ce081b463')]"
          },
          "effect": {
            "value": "[parameters('effect-492a29ed-d143-4f03-b6a4-705ce081b463')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.2.008",
          "CMMC_L3_AC.3.021",
          "CMMC_L3_CM.2.063"
        ]
      },
      {
        "policyDefinitionReferenceId": "e068b215-0026-4354-b347-8fb2766f73a2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e068b215-0026-4354-b347-8fb2766f73a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "UsersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
            "value": "[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UsersOrGroupsThatMayLogOnLocally": {
            "value": "[parameters('UsersOrGroupsThatMayLogOnLocally-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
            "value": "[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UsersOrGroupsThatMayManageAuditingAndSecurityLog": {
            "value": "[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UsersOrGroupsThatMayBackUpFilesAndDirectories": {
            "value": "[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UsersOrGroupsThatMayChangeTheSystemTime": {
            "value": "[parameters('UsersOrGroupsThatMayChangeTheSystemTime-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UsersOrGroupsThatMayChangeTheTimeZone": {
            "value": "[parameters('UsersOrGroupsThatMayChangeTheTimeZone-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UsersOrGroupsThatMayCreateATokenObject": {
            "value": "[parameters('UsersOrGroupsThatMayCreateATokenObject-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UsersAndGroupsThatAreDeniedLoggingOnAsAService": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UsersAndGroupsThatAreDeniedLocalLogon": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLocalLogon-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UserAndGroupsThatMayForceShutdownFromARemoteSystem": {
            "value": "[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UsersAndGroupsThatMayRestoreFilesAndDirectories": {
            "value": "[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UsersAndGroupsThatMayShutDownTheSystem": {
            "value": "[parameters('UsersAndGroupsThatMayShutDownTheSystem-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
            "value": "[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects-e068b215-0026-4354-b347-8fb2766f73a2')]"
          },
          "effect": {
            "value": "[parameters('effect-e068b215-0026-4354-b347-8fb2766f73a2')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.2.008",
          "CMMC_L3_AC.3.021"
        ]
      },
      {
        "policyDefinitionReferenceId": "87845465-c458-45f3-af66-dcd62176f397",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87845465-c458-45f3-af66-dcd62176f397",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "effect": {
            "value": "[parameters('effect-87845465-c458-45f3-af66-dcd62176f397')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.3.018",
          "CMMC_L3_CM.2.062"
        ]
      },
      {
        "policyDefinitionReferenceId": "a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.3.018"
        ]
      },
      {
        "policyDefinitionReferenceId": "b954148f-4c11-4c38-8221-be76711e194a-0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete')]"
          },
          "operationName": {
            "value": "Microsoft.Sql/servers/firewallRules/delete"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.3.018",
          "CMMC_L3_AC.3.021",
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_CM.2.065",
          "CMMC_L3_SI.2.216",
          "CMMC_L3_SI.2.217"
        ]
      },
      {
        "policyDefinitionReferenceId": "b954148f-4c11-4c38-8221-be76711e194a-1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete')]"
          },
          "operationName": {
            "value": "Microsoft.Network/networkSecurityGroups/delete"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.3.018",
          "CMMC_L3_AC.3.021",
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_CM.2.065",
          "CMMC_L3_SI.2.216",
          "CMMC_L3_SI.2.217"
        ]
      },
      {
        "policyDefinitionReferenceId": "b954148f-4c11-4c38-8221-be76711e194a-2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-delete')]"
          },
          "operationName": {
            "value": "Microsoft.ClassicNetwork/networkSecurityGroups/delete"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.3.018",
          "CMMC_L3_AC.3.021",
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_CM.2.065",
          "CMMC_L3_SI.2.216",
          "CMMC_L3_SI.2.217"
        ]
      },
      {
        "policyDefinitionReferenceId": "b954148f-4c11-4c38-8221-be76711e194a-3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete')]"
          },
          "operationName": {
            "value": "Microsoft.Network/networkSecurityGroups/securityRules/delete"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.3.018",
          "CMMC_L3_AC.3.021",
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_CM.2.065",
          "CMMC_L3_SI.2.216",
          "CMMC_L3_SI.2.217"
        ]
      },
      {
        "policyDefinitionReferenceId": "b954148f-4c11-4c38-8221-be76711e194a-4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftClassicNetwork-networkSecurityGroups-securityRules-delete')]"
          },
          "operationName": {
            "value": "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.3.018",
          "CMMC_L3_AC.3.021",
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_CM.2.065",
          "CMMC_L3_SI.2.216",
          "CMMC_L3_SI.2.217"
        ]
      },
      {
        "policyDefinitionReferenceId": "331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "parameters": {},
        "groupNames": [
          "CMMC_L3_AC.3.021"
        ]
      },
      {
        "policyDefinitionReferenceId": "ae89ebca-1c92-4898-ac2c-9f63decb045c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ae89ebca-1c92-4898-ac2c-9f63decb045c')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.3.021"
        ]
      },
      {
        "policyDefinitionReferenceId": "d26f7642-7545-4e18-9b75-8c9bbdee3a9a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AC.3.021"
        ]
      },
      {
        "policyDefinitionReferenceId": "1a4e592a-6a6e-44a5-9814-e36264ca96e7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1a4e592a-6a6e-44a5-9814-e36264ca96e7')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.2.041",
          "CMMC_L3_SI.2.217"
        ]
      },
      {
        "policyDefinitionReferenceId": "7796937f-307b-4598-941c-67d3a05ebfe7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7796937f-307b-4598-941c-67d3a05ebfe7')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_CM.2.065",
          "CMMC_L3_SI.2.216",
          "CMMC_L3_SI.2.217"
        ]
      },
      {
        "policyDefinitionReferenceId": "c5447c04-a4d7-4ba8-a263-c9ee321a6858",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858')]"
          },
          "operationName": {
            "value": "Microsoft.Authorization/policyAssignments/delete"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_AU.3.049",
          "CMMC_L3_CM.2.061",
          "CMMC_L3_CM.2.065",
          "CMMC_L3_SI.2.216",
          "CMMC_L3_SI.2.217"
        ]
      },
      {
        "policyDefinitionReferenceId": "41388f1c-2db0-4c25-95b2-35d7f5ccbfa9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-41388f1c-2db0-4c25-95b2-35d7f5ccbfa9')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.2.041",
          "CMMC_L3_AU.2.042",
          "CMMC_L3_CM.2.065",
          "CMMC_L3_SI.2.216",
          "CMMC_L3_SI.2.217"
        ]
      },
      {
        "policyDefinitionReferenceId": "b02aacc0-b073-424e-8298-42b22829ee0a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b02aacc0-b073-424e-8298-42b22829ee0a')]"
          }
        },
        "groupNames": [
          "CMMC_L3_AU.2.042",
          "CMMC_L3_SI.2.217"
        ]
      },
      {
        "policyDefinitionReferenceId": "057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9')]"
          }
        },
        "groupNames": [
          "CMMC_L3_IR.2.092",
          "CMMC_L3_RM.2.141",
          "CMMC_L3_RM.2.142",
          "CMMC_L3_RM.2.143",
          "CMMC_L3_RM.3.144"
        ]
      },
      {
        "policyDefinitionReferenceId": "0ec47710-77ff-4a3d-9181-6aa50af424d0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0ec47710-77ff-4a3d-9181-6aa50af424d0')]"
          }
        },
        "groupNames": [
          "CMMC_L3_RE.2.137",
          "CMMC_L3_RE.3.139"
        ]
      },
      {
        "policyDefinitionReferenceId": "48af4db5-9b8b-401c-8e74-076be876a430",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-48af4db5-9b8b-401c-8e74-076be876a430')]"
          }
        },
        "groupNames": [
          "CMMC_L3_RE.2.137",
          "CMMC_L3_RE.3.139"
        ]
      },
      {
        "policyDefinitionReferenceId": "82339799-d096-41ae-8538-b108becf0970",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-82339799-d096-41ae-8538-b108becf0970')]"
          }
        },
        "groupNames": [
          "CMMC_L3_RE.2.137",
          "CMMC_L3_RE.3.139"
        ]
      },
      {
        "policyDefinitionReferenceId": "1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CA.2.158",
          "CMMC_L3_CA.3.161",
          "CMMC_L3_RM.2.141",
          "CMMC_L3_RM.2.142",
          "CMMC_L3_RM.2.143"
        ]
      },
      {
        "policyDefinitionReferenceId": "501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-501541f7-f7e7-4cd6-868c-4190fdad3ac9')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CA.2.158",
          "CMMC_L3_CA.3.161",
          "CMMC_L3_RM.2.141",
          "CMMC_L3_RM.2.142",
          "CMMC_L3_RM.2.143"
        ]
      },
      {
        "policyDefinitionReferenceId": "5f0f936f-2f01-4bf5-b6be-d423792fa562",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5f0f936f-2f01-4bf5-b6be-d423792fa562')]"
          }
        },
        "groupNames": [
          "CMMC_L3_RM.2.143"
        ]
      },
      {
        "policyDefinitionReferenceId": "ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CA.2.158",
          "CMMC_L3_CA.3.161",
          "CMMC_L3_RM.2.141",
          "CMMC_L3_RM.2.142",
          "CMMC_L3_RM.2.143"
        ]
      },
      {
        "policyDefinitionReferenceId": "bb91dfba-c30d-4263-9add-9c2384e659a6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-bb91dfba-c30d-4263-9add-9c2384e659a6')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.175",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "e71308d3-144b-4262-b144-efdc3cc90517",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e71308d3-144b-4262-b144-efdc3cc90517')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CM.3.068",
          "CMMC_L3_SC.1.176",
          "CMMC_L3_SC.3.180",
          "CMMC_L3_SC.3.183"
        ]
      },
      {
        "policyDefinitionReferenceId": "75c4f823-d65c-4f29-a733-01d0077fdbcb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb",
        "parameters": {
          "allowedKeyTypes": {
            "value": "[parameters('allowedKeyTypes-75c4f823-d65c-4f29-a733-01d0077fdbcb')]"
          },
          "effect": {
            "value": "[parameters('effect-75c4f823-d65c-4f29-a733-01d0077fdbcb')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.187"
        ]
      },
      {
        "policyDefinitionReferenceId": "82067dbb-e53b-4e06-b631-546d197452d9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9",
        "parameters": {
          "minimumRSAKeySize": {
            "value": "[parameters('minimumRSAKeySize-82067dbb-e53b-4e06-b631-546d197452d9')]"
          },
          "effect": {
            "value": "[parameters('effect-82067dbb-e53b-4e06-b631-546d197452d9')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.187"
        ]
      },
      {
        "policyDefinitionReferenceId": "cee51871-e572-4576-855c-047c820360f0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0",
        "parameters": {
          "minimumRSAKeySize": {
            "value": "[parameters('minimumRSAKeySize-cee51871-e572-4576-855c-047c820360f0')]"
          },
          "effect": {
            "value": "[parameters('effect-cee51871-e572-4576-855c-047c820360f0')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.190"
        ]
      },
      {
        "policyDefinitionReferenceId": "ff25f3c8-b739-4538-9d07-3d6d25cfb255",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255",
        "parameters": {
          "allowedECNames": {
            "value": "[parameters('allowedECNames-ff25f3c8-b739-4538-9d07-3d6d25cfb255')]"
          },
          "effect": {
            "value": "[parameters('effect-ff25f3c8-b739-4538-9d07-3d6d25cfb255')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.187"
        ]
      },
      {
        "policyDefinitionReferenceId": "24fba194-95d6-48c0-aea7-f65bf859c598",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/24fba194-95d6-48c0-aea7-f65bf859c598",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-24fba194-95d6-48c0-aea7-f65bf859c598')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.191"
        ]
      },
      {
        "policyDefinitionReferenceId": "3a58212a-c829-4f13-9872-6371df2fd0b4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3a58212a-c829-4f13-9872-6371df2fd0b4')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.191"
        ]
      },
      {
        "policyDefinitionReferenceId": "4733ea7b-a883-42fe-8cac-97454c2a9e4a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.191"
        ]
      },
      {
        "policyDefinitionReferenceId": "67121cc7-ff39-4ab8-b7e3-95b84dab487d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177"
        ]
      },
      {
        "policyDefinitionReferenceId": "6fac406b-40ca-413b-bf8e-0bf964659c25",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6fac406b-40ca-413b-bf8e-0bf964659c25')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177"
        ]
      },
      {
        "policyDefinitionReferenceId": "81e74cea-30fd-40d5-802f-d72103c2aaaa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-81e74cea-30fd-40d5-802f-d72103c2aaaa')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177"
        ]
      },
      {
        "policyDefinitionReferenceId": "a7ff3161-0087-490a-9ad9-ad6217f4f43a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a",
        "parameters": {},
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.191"
        ]
      },
      {
        "policyDefinitionReferenceId": "c349d81b-9985-44ae-a8da-ff98d108ede8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c349d81b-9985-44ae-a8da-ff98d108ede8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c349d81b-9985-44ae-a8da-ff98d108ede8')]"
          },
          "supportedSKUs": {
            "value": "[parameters('supportedSKUs-c349d81b-9985-44ae-a8da-ff98d108ede8')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.191"
        ]
      },
      {
        "policyDefinitionReferenceId": "f4b53539-8df9-40e4-86c6-6b607703bd4e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f4b53539-8df9-40e4-86c6-6b607703bd4e')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.191"
        ]
      },
      {
        "policyDefinitionReferenceId": "ec068d99-e9c7-401f-8cef-5bdde4e6ccf1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.191"
        ]
      },
      {
        "policyDefinitionReferenceId": "048248b0-55cd-46da-b1ff-39efd52db260",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-048248b0-55cd-46da-b1ff-39efd52db260')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177"
        ]
      },
      {
        "policyDefinitionReferenceId": "051cba44-2429-45b9-9649-46cec11c7119",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-051cba44-2429-45b9-9649-46cec11c7119')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177"
        ]
      },
      {
        "policyDefinitionReferenceId": "0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177"
        ]
      },
      {
        "policyDefinitionReferenceId": "2c89a2e5-7285-40fe-afe0-ae8654b92fb2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.191"
        ]
      },
      {
        "policyDefinitionReferenceId": "3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3657f5a0-770e-44a3-b44e-9431ba1e9735')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.191"
        ]
      },
      {
        "policyDefinitionReferenceId": "5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177"
        ]
      },
      {
        "policyDefinitionReferenceId": "617c02be-7f02-4efd-8836-3180d47b6c68",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-617c02be-7f02-4efd-8836-3180d47b6c68')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177",
          "CMMC_L3_SC.3.191"
        ]
      },
      {
        "policyDefinitionReferenceId": "7d7be79c-23ba-4033-84dd-45e2a5ccdd67",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177"
        ]
      },
      {
        "policyDefinitionReferenceId": "87ba29ef-1ab3-4d82-b763-87fcd4f531f7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177"
        ]
      },
      {
        "policyDefinitionReferenceId": "f7d52b2d-e161-4dfa-a82b-55e564167385",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f7d52b2d-e161-4dfa-a82b-55e564167385')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.177"
        ]
      },
      {
        "policyDefinitionReferenceId": "c43e4a30-77cb-48ab-a4dd-93f175c63b57",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c43e4a30-77cb-48ab-a4dd-93f175c63b57')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SI.1.210",
          "CMMC_L3_SI.1.211",
          "CMMC_L3_SI.1.212",
          "CMMC_L3_SI.1.213"
        ]
      },
      {
        "policyDefinitionReferenceId": "152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.187"
        ]
      },
      {
        "policyDefinitionReferenceId": "0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.187"
        ]
      },
      {
        "policyDefinitionReferenceId": "1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.187"
        ]
      },
      {
        "policyDefinitionReferenceId": "1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1f314764-cb73-4fc9-b863-8eca98ac36e9')]"
          }
        },
        "groupNames": [
          "CMMC_L3_SC.3.181"
        ]
      },
      {
        "policyDefinitionReferenceId": "123a3936-f020-408a-ba0c-47873faf1534",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-123a3936-f020-408a-ba0c-47873faf1534')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CA.2.158",
          "CMMC_L3_CA.3.161",
          "CMMC_L3_CM.2.063",
          "CMMC_L3_CM.3.068"
        ]
      },
      {
        "policyDefinitionReferenceId": "fc9b3da7-8347-4380-8e70-0a0361d8dedd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "effect": {
            "value": "[parameters('effect-fc9b3da7-8347-4380-8e70-0a0361d8dedd')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CM.2.061"
        ]
      },
      {
        "policyDefinitionReferenceId": "2a7a701e-dff3-4da9-9ec5-42cb98594c0b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a7a701e-dff3-4da9-9ec5-42cb98594c0b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditAuthenticationPolicyChange": {
            "value": "[parameters('AuditAuthenticationPolicyChange-2a7a701e-dff3-4da9-9ec5-42cb98594c0b')]"
          },
          "AuditAuthorizationPolicyChange": {
            "value": "[parameters('AuditAuthorizationPolicyChange-2a7a701e-dff3-4da9-9ec5-42cb98594c0b')]"
          },
          "effect": {
            "value": "[parameters('effect-2a7a701e-dff3-4da9-9ec5-42cb98594c0b')]"
          }
        },
        "groupNames": [
          "CMMC_L3_CM.2.065"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "CMMC_L3_AC.1.001",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.1.001"
      },
      {
        "name": "CMMC_L3_AC.1.002",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.1.002"
      },
      {
        "name": "CMMC_L3_AC.1.003",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.1.003"
      },
      {
        "name": "CMMC_L3_AC.1.004",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.1.004"
      },
      {
        "name": "CMMC_L3_AC.2.005",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.2.005"
      },
      {
        "name": "CMMC_L3_AC.2.006",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.2.006"
      },
      {
        "name": "CMMC_L3_AC.2.007",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.2.007"
      },
      {
        "name": "CMMC_L3_AC.2.008",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.2.008"
      },
      {
        "name": "CMMC_L3_AC.2.009",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.2.009"
      },
      {
        "name": "CMMC_L3_AC.2.010",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.2.010"
      },
      {
        "name": "CMMC_L3_AC.2.011",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.2.011"
      },
      {
        "name": "CMMC_L3_AC.2.013",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.2.013"
      },
      {
        "name": "CMMC_L3_AC.2.015",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.2.015"
      },
      {
        "name": "CMMC_L3_AC.2.016",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.2.016"
      },
      {
        "name": "CMMC_L3_AC.3.012",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.3.012"
      },
      {
        "name": "CMMC_L3_AC.3.014",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.3.014"
      },
      {
        "name": "CMMC_L3_AC.3.017",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.3.017"
      },
      {
        "name": "CMMC_L3_AC.3.018",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.3.018"
      },
      {
        "name": "CMMC_L3_AC.3.019",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.3.019"
      },
      {
        "name": "CMMC_L3_AC.3.020",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.3.020"
      },
      {
        "name": "CMMC_L3_AC.3.021",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.3.021"
      },
      {
        "name": "CMMC_L3_AC.3.022",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AC.3.022"
      },
      {
        "name": "CMMC_L3_AM.3.036",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AM.3.036"
      },
      {
        "name": "CMMC_L3_AT.2.056",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AT.2.056"
      },
      {
        "name": "CMMC_L3_AT.2.057",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AT.2.057"
      },
      {
        "name": "CMMC_L3_AT.3.058",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AT.3.058"
      },
      {
        "name": "CMMC_L3_AU.2.041",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AU.2.041"
      },
      {
        "name": "CMMC_L3_AU.2.042",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AU.2.042"
      },
      {
        "name": "CMMC_L3_AU.2.043",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AU.2.043"
      },
      {
        "name": "CMMC_L3_AU.2.044",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AU.2.044"
      },
      {
        "name": "CMMC_L3_AU.3.045",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AU.3.045"
      },
      {
        "name": "CMMC_L3_AU.3.046",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AU.3.046"
      },
      {
        "name": "CMMC_L3_AU.3.048",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AU.3.048"
      },
      {
        "name": "CMMC_L3_AU.3.049",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AU.3.049"
      },
      {
        "name": "CMMC_L3_AU.3.050",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AU.3.050"
      },
      {
        "name": "CMMC_L3_AU.3.051",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AU.3.051"
      },
      {
        "name": "CMMC_L3_AU.3.052",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_AU.3.052"
      },
      {
        "name": "CMMC_L3_CA.2.157",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_CA.2.157"
      },
      {
        "name": "CMMC_L3_CA.2.158",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_CA.2.158"
      },
      {
        "name": "CMMC_L3_CA.2.159",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_CA.2.159"
      },
      {
        "name": "CMMC_L3_CA.3.161",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_CA.3.161"
      },
      {
        "name": "CMMC_L3_CA.3.162",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_CA.3.162"
      },
      {
        "name": "CMMC_L3_CM.2.061",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_CM.2.061"
      },
      {
        "name": "CMMC_L3_CM.2.062",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_CM.2.062"
      },
      {
        "name": "CMMC_L3_CM.2.063",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_CM.2.063"
      },
      {
        "name": "CMMC_L3_CM.2.064",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_CM.2.064"
      },
      {
        "name": "CMMC_L3_CM.2.065",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_CM.2.065"
      },
      {
        "name": "CMMC_L3_CM.2.066",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_CM.2.066"
      },
      {
        "name": "CMMC_L3_CM.3.067",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_CM.3.067"
      },
      {
        "name": "CMMC_L3_CM.3.068",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_CM.3.068"
      },
      {
        "name": "CMMC_L3_CM.3.069",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_CM.3.069"
      },
      {
        "name": "CMMC_L3_IA.1.076",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IA.1.076"
      },
      {
        "name": "CMMC_L3_IA.1.077",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IA.1.077"
      },
      {
        "name": "CMMC_L3_IA.2.078",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IA.2.078"
      },
      {
        "name": "CMMC_L3_IA.2.079",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IA.2.079"
      },
      {
        "name": "CMMC_L3_IA.2.080",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IA.2.080"
      },
      {
        "name": "CMMC_L3_IA.2.081",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IA.2.081"
      },
      {
        "name": "CMMC_L3_IA.2.082",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IA.2.082"
      },
      {
        "name": "CMMC_L3_IA.3.083",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IA.3.083"
      },
      {
        "name": "CMMC_L3_IA.3.084",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IA.3.084"
      },
      {
        "name": "CMMC_L3_IA.3.085",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IA.3.085"
      },
      {
        "name": "CMMC_L3_IA.3.086",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IA.3.086"
      },
      {
        "name": "CMMC_L3_IR.2.092",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IR.2.092"
      },
      {
        "name": "CMMC_L3_IR.2.093",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IR.2.093"
      },
      {
        "name": "CMMC_L3_IR.2.094",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IR.2.094"
      },
      {
        "name": "CMMC_L3_IR.2.096",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IR.2.096"
      },
      {
        "name": "CMMC_L3_IR.2.097",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IR.2.097"
      },
      {
        "name": "CMMC_L3_IR.3.098",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IR.3.098"
      },
      {
        "name": "CMMC_L3_IR.3.099",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_IR.3.099"
      },
      {
        "name": "CMMC_L3_MA.2.111",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_MA.2.111"
      },
      {
        "name": "CMMC_L3_MA.2.112",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_MA.2.112"
      },
      {
        "name": "CMMC_L3_MA.2.113",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_MA.2.113"
      },
      {
        "name": "CMMC_L3_MA.2.114",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_MA.2.114"
      },
      {
        "name": "CMMC_L3_MA.3.115",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_MA.3.115"
      },
      {
        "name": "CMMC_L3_MA.3.116",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_MA.3.116"
      },
      {
        "name": "CMMC_L3_MP.1.118",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_MP.1.118"
      },
      {
        "name": "CMMC_L3_MP.2.119",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_MP.2.119"
      },
      {
        "name": "CMMC_L3_MP.2.120",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_MP.2.120"
      },
      {
        "name": "CMMC_L3_MP.2.121",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_MP.2.121"
      },
      {
        "name": "CMMC_L3_MP.3.122",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_MP.3.122"
      },
      {
        "name": "CMMC_L3_MP.3.123",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_MP.3.123"
      },
      {
        "name": "CMMC_L3_MP.3.124",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_MP.3.124"
      },
      {
        "name": "CMMC_L3_MP.3.125",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_MP.3.125"
      },
      {
        "name": "CMMC_L3_PE.1.131",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_PE.1.131"
      },
      {
        "name": "CMMC_L3_PE.1.132",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_PE.1.132"
      },
      {
        "name": "CMMC_L3_PE.1.133",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_PE.1.133"
      },
      {
        "name": "CMMC_L3_PE.1.134",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_PE.1.134"
      },
      {
        "name": "CMMC_L3_PE.2.135",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_PE.2.135"
      },
      {
        "name": "CMMC_L3_PE.3.136",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_PE.3.136"
      },
      {
        "name": "CMMC_L3_PS.2.127",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_PS.2.127"
      },
      {
        "name": "CMMC_L3_PS.2.128",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_PS.2.128"
      },
      {
        "name": "CMMC_L3_RE.2.137",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_RE.2.137"
      },
      {
        "name": "CMMC_L3_RE.2.138",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_RE.2.138"
      },
      {
        "name": "CMMC_L3_RE.3.139",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_RE.3.139"
      },
      {
        "name": "CMMC_L3_RM.2.141",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_RM.2.141"
      },
      {
        "name": "CMMC_L3_RM.2.142",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_RM.2.142"
      },
      {
        "name": "CMMC_L3_RM.2.143",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_RM.2.143"
      },
      {
        "name": "CMMC_L3_RM.3.144",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_RM.3.144"
      },
      {
        "name": "CMMC_L3_RM.3.146",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_RM.3.146"
      },
      {
        "name": "CMMC_L3_RM.3.147",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_RM.3.147"
      },
      {
        "name": "CMMC_L3_SA.3.169",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SA.3.169"
      },
      {
        "name": "CMMC_L3_SC.1.175",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.1.175"
      },
      {
        "name": "CMMC_L3_SC.1.176",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.1.176"
      },
      {
        "name": "CMMC_L3_SC.2.178",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.2.178"
      },
      {
        "name": "CMMC_L3_SC.2.179",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.2.179"
      },
      {
        "name": "CMMC_L3_SC.3.177",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.3.177"
      },
      {
        "name": "CMMC_L3_SC.3.180",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.3.180"
      },
      {
        "name": "CMMC_L3_SC.3.181",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.3.181"
      },
      {
        "name": "CMMC_L3_SC.3.182",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.3.182"
      },
      {
        "name": "CMMC_L3_SC.3.183",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.3.183"
      },
      {
        "name": "CMMC_L3_SC.3.184",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.3.184"
      },
      {
        "name": "CMMC_L3_SC.3.185",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.3.185"
      },
      {
        "name": "CMMC_L3_SC.3.186",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.3.186"
      },
      {
        "name": "CMMC_L3_SC.3.187",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.3.187"
      },
      {
        "name": "CMMC_L3_SC.3.188",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.3.188"
      },
      {
        "name": "CMMC_L3_SC.3.189",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.3.189"
      },
      {
        "name": "CMMC_L3_SC.3.190",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.3.190"
      },
      {
        "name": "CMMC_L3_SC.3.191",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.3.191"
      },
      {
        "name": "CMMC_L3_SC.3.192",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.3.192"
      },
      {
        "name": "CMMC_L3_SC.3.193",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SC.3.193"
      },
      {
        "name": "CMMC_L3_SI.1.210",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SI.1.210"
      },
      {
        "name": "CMMC_L3_SI.1.211",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SI.1.211"
      },
      {
        "name": "CMMC_L3_SI.1.212",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SI.1.212"
      },
      {
        "name": "CMMC_L3_SI.1.213",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SI.1.213"
      },
      {
        "name": "CMMC_L3_SI.2.214",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SI.2.214"
      },
      {
        "name": "CMMC_L3_SI.2.216",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SI.2.216"
      },
      {
        "name": "CMMC_L3_SI.2.217",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SI.2.217"
      },
      {
        "name": "CMMC_L3_SI.3.218",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SI.3.218"
      },
      {
        "name": "CMMC_L3_SI.3.219",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SI.3.219"
      },
      {
        "name": "CMMC_L3_SI.3.220",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CMMC_L3_SI.3.220"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "b5629c75-5c77-4422-87b9-2509e680f8de"
}
BuiltIn Regulatory Compliance False True n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Preview]: Configure Azure Defender for SQL agents on virtual machines",
    "policyType": "BuiltIn",
    "description": "Configure virtual machines to automatically install the Azure Defender for SQL agents where the Azure Monitor Agent is installed. Security Center collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and Log Analytics workspace in the same region as the machine. This policy only applies to VMs in a few regions.",
    "metadata": {
      "category": "Monitoring",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "enableCollectionOfSqlQueriesForSecurityResearch": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Enable collection of SQL queries for security research",
          "description": "Enable or disable the collection of SQL queries for security research."
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": true
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the initiative."
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2ada9901-073c-444a-9a9a-91865174f0aa",
        "parameters": {
          "enableCollectionOfSqlQueriesForSecurityResearch": {
            "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
          },
          "azureDefenderForSqlExtensionTypeToInstall": {
            "value": "AdvancedThreatProtection.Windows"
          },
          "effect": {
            "value": "[parameters('effect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2ada9901-073c-444a-9a9a-91865174f0aa",
        "parameters": {
          "enableCollectionOfSqlQueriesForSecurityResearch": {
            "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
          },
          "azureDefenderForSqlExtensionTypeToInstall": {
            "value": "VulnerabilityAssessment.Windows"
          },
          "effect": {
            "value": "[parameters('effect')]"
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "39a366e6-fdde-4f41-bbf8-3757f46d1611"
}
BuiltIn Monitoring False True n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines",
    "policyType": "BuiltIn",
    "description": "Configure machines to automatically install the Azure Monitor and Azure Security agents. Security Center collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records. This policy only applies to VMs in a few regions.",
    "metadata": {
      "category": "Monitoring",
      "version": "2.0.0-preview",
      "preview": true
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentity",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17b3de92-f710-4cf4-aa55-0e7859f1ed7b"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4034bc6-ae50-406d-bf76-50f4ee5a7811"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca817e41-e85a-4783-bc7f-dc532d36235e"
      },
      {
        "policyDefinitionReferenceId": "ASC_DeployAzureSecurityLinuxAgent",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f8eb305-9c9f-4abe-9bb0-df220d9faba2"
      },
      {
        "policyDefinitionReferenceId": "ASC_DeployAzureSecurityWindowsAgent",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1537496a-b1e8-482b-a06a-1cc2415cdc7b"
      },
      {
        "policyDefinitionReferenceId": "ASC_AMA_DefaultPipeline_Deploy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/a15f3269-2e10-458c-87a4-d5989e678a73",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "a15f3269-2e10-458c-87a4-d5989e678a73"
}
BuiltIn Monitoring False True n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Preview]: Motion Picture Association of America (MPAA)",
    "policyType": "BuiltIn",
    "description": "This initiative includes audit and virtual machine extension deployment policies that address a subset of Motion Picture Association of America (MPAA) security and guidelines controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/mpaa-blueprint.",
    "metadata": {
      "version": "4.0.2-preview",
      "category": "Regulatory Compliance",
      "preview": true
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers for Guest Configuration policies",
          "description": "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "certificateThumbprints": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate thumbprints that should exist under the Trusted Root",
          "description": "A semicolon-separated list of certificate thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
        }
      },
      "applicationName": {
        "type": "String",
        "metadata": {
          "displayName": "Application names to be installed on VMs",
          "description": "A semicolon-separated list of the names of the applications that should be installed. e.g. 'python; powershell'"
        }
      },
      "storagePrefix": {
        "type": "String",
        "metadata": {
          "displayName": "Storage Account Prefix for Regional Storage Account to deploy diagnostic settings for Network Security Groups",
          "description": "This prefix will be combined with the network security group location to form the created storage account name."
        }
      },
      "rgName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Name for Storage Account (must exist) to deploy diagnostic settings for Network Security Groups",
          "description": "The resource group that the storage account will be created in. This resource group must already exist.",
          "strongType": "ExistingResourceGroups"
        }
      },
      "diskEncryptionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources",
          "description": "Enable or disable the monitoring for VM disk encryption"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Monitor unencrypted SQL database in Azure Security Center",
          "description": "Enable or disable monitoring of unencrypted SQL databases in Azure Security Center"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "metricName": {
        "type": "String",
        "metadata": {
          "displayName": "Metric name on which alert rules should be configured in Batch accounts",
          "description": "The metric name that an alert rule must be enabled on"
        }
      },
      "metricAlertsInBatchAccountPoolDeleteStartEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Metric alert rules should be configured on Batch accounts",
          "description": "Enable or disable monitoring of metric alert rules on Batch account to enable the required metric"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "disableUnrestrictedNetworkToStorageAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Audit unrestricted network access to storage accounts",
          "description": "Enable or disable the monitoring of network access to storage account"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "diagnosticsLogsInLogicAppsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Logic Apps should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Logic Apps workflows"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (in days) of resource logs in Logic Apps workflows",
          "description": "The required resource logs retention period in days"
        },
        "defaultValue": "365"
      },
      "vmssOsVulnerabilitiesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated",
          "description": "Enable or disable monitoring of virtual machine scale sets OS vulnerabilities "
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies": {
        "type": "String",
        "metadata": {
          "displayName": "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies",
          "description": "Specifies whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). For certificate rules to take effect in software restriction policies, you must enable this policy setting."
        },
        "defaultValue": "1"
      },
      "vulnerabilityAssessmentMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution",
          "description": "Enable or disable the detection of VM vulnerabilities by a vulnerability assessment solution",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "serverVulnerabilityAssessmentEffect": {
        "type": "String",
        "metadata": {
          "displayName": "A vulnerability assessment solution should be enabled on your virtual machines",
          "description": "Enable or disable the detection of virtual machine vulnerabilities by Azure Security Center vulnerability assessment"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "usersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may access this computer from the network",
          "description": "Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."
        },
        "defaultValue": "Administrators, Authenticated Users"
      },
      "usersOrGroupsThatMayLogOnLocally": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may log on locally",
          "description": "Specifies which users or groups can interactively log on to the computer. Users who attempt to log on via Remote Desktop Connection or IIS also require this user right."
        },
        "defaultValue": "Administrators"
      },
      "usersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may log on through Remote Desktop Services",
          "description": "Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."
        },
        "defaultValue": "Administrators, Remote Desktop Users"
      },
      "usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied access from the network",
          "description": "Specifies which users or groups are explicitly prohibited from connecting across the network."
        },
        "defaultValue": "Guests"
      },
      "usersOrGroupsThatMayManageAuditingAndSecurityLog": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may manage auditing and security log",
          "description": "Specifies users and groups permitted to change the auditing options for files and directories and clear the Security log."
        },
        "defaultValue": "Administrators"
      },
      "usersOrGroupsThatMayBackUpFilesAndDirectories": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may back up files and directories",
          "description": "Specifies users and groups allowed to circumvent file and directory permissions to back up the system."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "usersOrGroupsThatMayChangeTheSystemTime": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may change the system time",
          "description": "Specifies which users and groups are permitted to change the time and date on the internal clock of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "usersOrGroupsThatMayChangeTheTimeZone": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may change the time zone",
          "description": "Specifies which users and groups are permitted to change the time zone of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "usersOrGroupsThatMayCreateATokenObject": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may create a token object",
          "description": "Specifies which users and groups are permitted to create an access token, which may provide elevated rights to access sensitive data."
        },
        "defaultValue": "No One"
      },
      "usersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied logging on as a batch job",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer as a batch job (i.e. scheduled task)."
        },
        "defaultValue": "Guests"
      },
      "usersAndGroupsThatAreDeniedLoggingOnAsAService": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied logging on as a service",
          "description": "Specifies which service accounts are explicitly not permitted to register a process as a service."
        },
        "defaultValue": "Guests"
      },
      "usersAndGroupsThatAreDeniedLocalLogon": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied local logon",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer."
        },
        "defaultValue": "Guests"
      },
      "usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied log on through Remote Desktop Services",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer via Terminal Services/Remote Desktop Client."
        },
        "defaultValue": "Guests"
      },
      "userAndGroupsThatMayForceShutdownFromARemoteSystem": {
        "type": "String",
        "metadata": {
          "displayName": "User and groups that may force shutdown from a remote system",
          "description": "Specifies which users and groups are permitted to shut down the computer from a remote location on the network."
        },
        "defaultValue": "Administrators"
      },
      "usersAndGroupsThatMayRestoreFilesAndDirectories": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that may restore files and directories",
          "description": "Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "usersAndGroupsThatMayShutDownTheSystem": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that may shut down the system",
          "description": "Specifies which users and groups who are logged on locally to the computers in your environment are permitted to shut down the operating system with the Shut Down command."
        },
        "defaultValue": "Administrators"
      },
      "usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may take ownership of files or other objects",
          "description": "Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user."
        },
        "defaultValue": "Administrators"
      },
      "systemUpdatesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "System updates should be installed on your machines",
          "description": "Enable or disable reporting of system updates"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlServerAuditingRetentionDaysMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "SQL servers should be configured with auditing retention days greater than 90 days",
          "description": "Enable or disable the monitoring of SQL servers with auditing retention period less than 90"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "windowsFirewallDomainUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Domain profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "windowsFirewallDomainBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "windowsFirewallDomainApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "windowsFirewallDomainApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "windowsFirewallDomainDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Domain profile."
        },
        "defaultValue": "1"
      },
      "windowsFirewallPrivateUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Private profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "windowsFirewallPrivateBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "windowsFirewallPrivateApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "windowsFirewallPrivateApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "windowsFirewallPrivateDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Private profile."
        },
        "defaultValue": "1"
      },
      "windowsFirewallPublicUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Public profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "windowsFirewallPublicBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "windowsFirewallPublicApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "windowsFirewallPublicApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "windowsFirewallPublicDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Public profile."
        },
        "defaultValue": "1"
      },
      "windowsFirewallDomainAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Domain: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Domain profile."
        },
        "defaultValue": "0"
      },
      "windowsFirewallPrivateAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Private: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Private profile."
        },
        "defaultValue": "0"
      },
      "windowsFirewallPublicAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Public: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Public profile."
        },
        "defaultValue": "1"
      },
      "identityEnableMFAForWritePermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "MFA should be enabled on accounts with write permissions in your subscription",
          "description": "Enable or disable the monitoring of MFA for accounts with write permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "namespaceAuthorizationRulesInServiceBusMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace",
          "description": "Enable or disable the monitoring of Service Bus namespace authorization rules"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "kubernetesServiceRbacEnabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Role-Based Access Control (RBAC) should be used on Kubernetes Services",
          "description": "Enable or disable the monitoring of Kubernetes Services without RBAC enabled"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "diagnosticsLogsInSearchServiceMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Search services should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Azure Search service"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "microsoftNetworkClientDigitallySignCommunicationsAlways": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network client: Digitally sign communications (always)",
          "description": "Specifies whether packet signing is required by the SMB client component."
        },
        "defaultValue": "1"
      },
      "microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network client: Send unencrypted password to third-party SMB servers",
          "description": "Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it."
        },
        "defaultValue": "0"
      },
      "microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Amount of idle time required before suspending session",
          "description": "Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is two integers separated by a comma, denoting an inclusive range."
        },
        "defaultValue": "1,15"
      },
      "microsoftNetworkServerDigitallySignCommunicationsAlways": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Digitally sign communications (always)",
          "description": "Specifies whether packet signing is required by the SMB server component."
        },
        "defaultValue": "1"
      },
      "microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Disconnect clients when logon hours expire",
          "description": "Specifies whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable 'Network security: Force logoff when logon hours expire'"
        },
        "defaultValue": "1"
      },
      "disableIPForwardingMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "IP Forwarding on your virtual machine should be disabled",
          "description": "Enable or disable the monitoring of IP forwarding on virtual machines"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "threatDetectionTypesOnManagedInstanceMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings",
          "description": "It's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "certificateStorePath": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate store path containing the certificates to be checked for expiration",
          "description": "The path to the certificate store containing the certificates to check the expiration dates of. Default value is 'Cert:' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: 'Cert:\\LocalMachine', 'Cert:\\LocalMachine\\TrustedPublisher', 'Cert:\\CurrentUser'"
        },
        "defaultValue": "Cert:"
      },
      "expirationLimitInDays": {
        "type": "String",
        "metadata": {
          "displayName": "Expiration limit in days for certificates that are expiring under specified certificate store path",
          "description": "An integer indicating the number of days within which to check for certificates that are expiring. For example, if this value is 30, any certificate expiring within the next 30 days will cause this policy to be non-compliant."
        },
        "defaultValue": "30"
      },
      "certificateThumbprintsToInclude": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate thumbprints to include while checking for expired certificates under specified certificate store path",
          "description": "A semicolon-separated list of certificate thumbprints to check under the specified path. If a value is not specified, all certificates under the certificate store path will be checked. If a value is specified, no certificates other than those with the thumbprints specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
        },
        "defaultValue": ""
      },
      "certificateThumbprintsToExclude": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate thumbprints to exclude while checking for expired certificates under specified certificate store path",
          "description": "A semicolon-separated list of certificate thumbprints to ignore while checking expired certificates. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
        },
        "defaultValue": ""
      },
      "includeExpiredCertificates": {
        "type": "String",
        "metadata": {
          "displayName": "Include already expired certificates while checking for expired certificates under specified certificate store path",
          "description": "Must be 'true' or 'false'. True indicates that any found certificates that have already expired will also make this policy non-compliant. False indicates that certificates that have expired will be be ignored under specified certificate store path."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": {
        "type": "String",
        "metadata": {
          "displayName": "Recovery console: Allow floppy copy and access to all drives and all folders",
          "description": "Specifies whether to make the Recovery Console SET command available, which allows setting of recovery console environment variables."
        },
        "defaultValue": "0"
      },
      "accountsGuestAccountStatus": {
        "type": "String",
        "metadata": {
          "displayName": "Accounts: Guest account status",
          "description": "Specifies whether the local Guest account is disabled."
        },
        "defaultValue": "0"
      },
      "networkAccessRemotelyAccessibleRegistryPaths": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Remotely accessible registry paths",
          "description": "Specifies which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"
      },
      "networkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Remotely accessible registry paths and sub-paths",
          "description": "Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"
      },
      "networkAccessSharesThatCanBeAccessedAnonymously": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Shares that can be accessed anonymously",
          "description": "Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server."
        },
        "defaultValue": "0"
      },
      "externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect": {
        "type": "String",
        "metadata": {
          "displayName": "External accounts with owner permissions should be removed from your subscription",
          "description": "Enable or disable the monitoring of external acounts with owner permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlDbVulnerabilityAssesmentMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "SQL databases should have vulnerability findings resolved",
          "description": "Enable or disable the monitoring of Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "diskEncryptionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {
          "effect": {
            "value": "[parameters('diskEncryptionMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "auditWindowsCertificateInTrustedRoot",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/934345e1-4dfb-4c70-90d7-41990dc9608b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "certificateThumbprints": {
            "value": "[parameters('CertificateThumbprints')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {
          "effect": {
            "value": "[parameters('previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "metricAlertsInBatchAccountPoolDeleteStart",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7",
        "parameters": {
          "effect": {
            "value": "[parameters('metricAlertsInBatchAccountPoolDeleteStartEffect')]"
          },
          "metricName": {
            "value": "[parameters('MetricName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "deploydefaultMicrosoftIaaSAntimalwareextensionforWindowsServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da"
      },
      {
        "policyDefinitionReferenceId": "disableUnrestrictedNetworkToStorageAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {
          "effect": {
            "value": "[parameters('disableUnrestrictedNetworkToStorageAccountMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInLogicAppsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInLogicAppsMonitoringEffect')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('RequiredRetentionDays')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "deployThreatDetectionOnSqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "vmssOsVulnerabilitiesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {
          "effect": {
            "value": "[parameters('vmssOsVulnerabilitiesMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AzureBaselineSecurityOptionsSystemsettings",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12017595-5a75-4bb1-9d97-4c2c939ea3c3",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies": {
            "value": "[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "InstalledApplicationLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d3b823c9-e0fc-4453-9fb2-8213b7338523",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "applicationName": {
            "value": "[parameters('ApplicationName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "serverVulnerabilityAssessment",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {
          "effect": {
            "value": "[parameters('serverVulnerabilityAssessmentEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AzureBaselineUserRightsAssignment",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e068b215-0026-4354-b347-8fb2766f73a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "usersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
            "value": "[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]"
          },
          "usersOrGroupsThatMayLogOnLocally": {
            "value": "[parameters('UsersOrGroupsThatMayLogOnLocally')]"
          },
          "usersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
            "value": "[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]"
          },
          "usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]"
          },
          "usersOrGroupsThatMayManageAuditingAndSecurityLog": {
            "value": "[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]"
          },
          "usersOrGroupsThatMayBackUpFilesAndDirectories": {
            "value": "[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]"
          },
          "usersOrGroupsThatMayChangeTheSystemTime": {
            "value": "[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]"
          },
          "usersOrGroupsThatMayChangeTheTimeZone": {
            "value": "[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]"
          },
          "usersOrGroupsThatMayCreateATokenObject": {
            "value": "[parameters('UsersOrGroupsThatMayCreateATokenObject')]"
          },
          "usersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]"
          },
          "usersAndGroupsThatAreDeniedLoggingOnAsAService": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]"
          },
          "usersAndGroupsThatAreDeniedLocalLogon": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]"
          },
          "usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]"
          },
          "userAndGroupsThatMayForceShutdownFromARemoteSystem": {
            "value": "[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]"
          },
          "usersAndGroupsThatMayRestoreFilesAndDirectories": {
            "value": "[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]"
          },
          "usersAndGroupsThatMayShutDownTheSystem": {
            "value": "[parameters('UsersAndGroupsThatMayShutDownTheSystem')]"
          },
          "usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
            "value": "[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "systemUpdatesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {
          "effect": {
            "value": "[parameters('systemUpdatesMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "disableIPForwardingForNetworkInterfaces",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "sqlServerAuditingRetentionDaysMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743",
        "parameters": {
          "effect": {
            "value": "[parameters('sqlServerAuditingRetentionDaysMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AzureBaselineWindowsFirewallProperties",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35d9882c-993d-44e6-87d2-db66ce21b636",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "windowsFirewallDomainUseProfileSettings": {
            "value": "[parameters('WindowsFirewallDomainUseProfileSettings')]"
          },
          "windowsFirewallDomainBehaviorForOutboundConnections": {
            "value": "[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]"
          },
          "windowsFirewallDomainApplyLocalConnectionSecurityRules": {
            "value": "[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]"
          },
          "windowsFirewallDomainApplyLocalFirewallRules": {
            "value": "[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]"
          },
          "windowsFirewallDomainDisplayNotifications": {
            "value": "[parameters('WindowsFirewallDomainDisplayNotifications')]"
          },
          "windowsFirewallPrivateUseProfileSettings": {
            "value": "[parameters('WindowsFirewallPrivateUseProfileSettings')]"
          },
          "windowsFirewallPrivateBehaviorForOutboundConnections": {
            "value": "[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]"
          },
          "windowsFirewallPrivateApplyLocalConnectionSecurityRules": {
            "value": "[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]"
          },
          "windowsFirewallPrivateApplyLocalFirewallRules": {
            "value": "[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]"
          },
          "windowsFirewallPrivateDisplayNotifications": {
            "value": "[parameters('WindowsFirewallPrivateDisplayNotifications')]"
          },
          "windowsFirewallPublicUseProfileSettings": {
            "value": "[parameters('WindowsFirewallPublicUseProfileSettings')]"
          },
          "windowsFirewallPublicBehaviorForOutboundConnections": {
            "value": "[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]"
          },
          "windowsFirewallPublicApplyLocalConnectionSecurityRules": {
            "value": "[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]"
          },
          "windowsFirewallPublicApplyLocalFirewallRules": {
            "value": "[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]"
          },
          "windowsFirewallPublicDisplayNotifications": {
            "value": "[parameters('WindowsFirewallPublicDisplayNotifications')]"
          },
          "windowsFirewallDomainAllowUnicastResponse": {
            "value": "[parameters('WindowsFirewallDomainAllowUnicastResponse')]"
          },
          "windowsFirewallPrivateAllowUnicastResponse": {
            "value": "[parameters('WindowsFirewallPrivateAllowUnicastResponse')]"
          },
          "windowsFirewallPublicAllowUnicastResponse": {
            "value": "[parameters('WindowsFirewallPublicAllowUnicastResponse')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {
          "effect": {
            "value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "namespaceAuthorizationRulesInServiceBusMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee",
        "parameters": {
          "effect": {
            "value": "[parameters('namespaceAuthorizationRulesInServiceBusMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "kubernetesServiceRbacEnabledMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
        "parameters": {
          "effect": {
            "value": "[parameters('kubernetesServiceRbacEnabledMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInSearchServiceMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInSearchServiceMonitoringEffect')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('RequiredRetentionDays')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AzureBaselineSecurityOptionsMicrosoftNetworkClient",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6c69680-54f0-4349-af10-94dd05f4225e",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "microsoftNetworkClientDigitallySignCommunicationsAlways": {
            "value": "[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]"
          },
          "microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": {
            "value": "[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]"
          },
          "microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": {
            "value": "[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]"
          },
          "microsoftNetworkServerDigitallySignCommunicationsAlways": {
            "value": "[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]"
          },
          "microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire": {
            "value": "[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "disableIPForwardingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744",
        "parameters": {
          "effect": {
            "value": "[parameters('disableIPForwardingMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "CertificateExpiration",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1417908b-4bff-46ee-a2a6-4acc899320ab",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "certificateStorePath": {
            "value": "[parameters('CertificateStorePath')]"
          },
          "expirationLimitInDays": {
            "value": "[parameters('ExpirationLimitInDays')]"
          },
          "certificateThumbprintsToInclude": {
            "value": "[parameters('CertificateThumbprintsToInclude')]"
          },
          "certificateThumbprintsToExclude": {
            "value": "[parameters('CertificateThumbprintsToExclude')]"
          },
          "includeExpiredCertificates": {
            "value": "[parameters('IncludeExpiredCertificates')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "deployDiagnosticSettingsforNetworkSecurityGroups",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89",
        "parameters": {
          "storagePrefix": {
            "value": "[parameters('StoragePrefix')]"
          },
          "rgName": {
            "value": "[parameters('RgName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AzureBaselineSecurityOptionsRecoveryconsole",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f71be03e-e25b-4d0f-b8bc-9b3e309b66c0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": {
            "value": "[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AzureBaselineSecurityOptionsAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee984370-154a-4ee8-9726-19d900e56fc0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "accountsGuestAccountStatus": {
            "value": "[parameters('AccountsGuestAccountStatus')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AzureBaselineSecurityOptionsNetworkAccess",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "networkAccessRemotelyAccessibleRegistryPaths": {
            "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]"
          },
          "networkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
            "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]"
          },
          "networkAccessSharesThatCanBeAccessedAnonymously": {
            "value": "[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {
          "effect": {
            "value": "[parameters('externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "sqlDbVulnerabilityAssesmentMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {
          "effect": {
            "value": "[parameters('sqlDbVulnerabilityAssesmentMonitoringEffect')]"
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "92646f03-e39d-47a9-9e24-58d60ef49af8"
}
BuiltIn Regulatory Compliance False True n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Preview]: NIST SP 800-171 R2",
    "policyType": "BuiltIn",
    "description": "This initiative includes audit and virtual machine extension policies that address a subset of NIST SP 800-171 R2 requirements. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800171r2-blueprint.",
    "metadata": {
      "version": "5.1.0-preview",
      "category": "Regulatory Compliance",
      "preview": true
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers for Guest Configuration policies",
          "description": "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "membersToExcludeInLocalAdministratorsGroup": {
        "type": "String",
        "metadata": {
          "displayName": "List of users excluded from Windows VM Administrators group",
          "description": "A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2"
        }
      },
      "membersToIncludeInLocalAdministratorsGroup": {
        "type": "String",
        "metadata": {
          "displayName": "List of users that must be included in Windows VM Administrators group",
          "description": "A semicolon-separated list of users that should be included in the Administrators local group; Ex: Administrator; myUser1; myUser2"
        }
      },
      "listOfLocationsForNetworkWatcher": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: List of regions where Network Watcher should be enabled",
          "description": "Audit if Network Watcher is not enabled for region(s).",
          "strongType": "location",
          "deprecated": true
        },
        "defaultValue": []
      },
      "NetworkWatcherResourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "NetworkWatcher resource group name",
          "description": "Name of the resource group of NetworkWatcher, such as NetworkWatcherRG"
        },
        "defaultValue": "NetworkWatcherRG"
      },
      "logAnalyticsWorkspaceIDForVMAgents": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace ID for VM agent reporting",
          "description": "ID (GUID) of the Log Analytics workspace where VMs agents should report."
        }
      },
      "pHPLatestVersionForAppServices": {
        "type": "String",
        "metadata": {
          "displayName": "Latest PHP version",
          "description": "Latest supported PHP version for App Services"
        },
        "defaultValue": "7.3"
      },
      "windowsImagesToAddToLogAgentAuditScope": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of Windows VM images that support Log Analytics agent to add to audit scope",
          "description": "A semicolon-separated list of images; Ex: /subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage"
        },
        "defaultValue": []
      },
      "linuxImagesToAddToLogAgentAuditScope": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of Linux VM images that support Log Analytics agent to add to audit scope",
          "description": "A semicolon-separated list of images; Ex: /subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage"
        },
        "defaultValue": []
      },
      "javaLatestVersionForAppServices": {
        "type": "String",
        "metadata": {
          "displayName": "Latest Java version",
          "description": "Latest supported Java version for App Services"
        },
        "defaultValue": "11"
      },
      "WindowsPythonLatestVersionForAppServices": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Latest Windows Python version",
          "description": "Latest supported Python version for App Services",
          "deprecated": true
        },
        "defaultValue": "3.6"
      },
      "linuxPythonLatestVersionForAppServices": {
        "type": "String",
        "metadata": {
          "displayName": "Latest Linux Python version",
          "description": "Latest supported Python version for App Services"
        },
        "defaultValue": "3.8"
      },
      "listOfResourceTypesForDiagnosticLogs": {
        "type": "Array",
        "metadata": {
          "displayName": "List of resource types that should have resource logs enabled",
          "description": "Audit diagnostic setting for selected resource types"
        },
        "allowedValues": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ],
        "defaultValue": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ]
      },
      "minimumTLSVersionForWindowsServers": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum TLS version for Windows web servers",
          "description": "The minimum TLS protocol version that should be enabled on Windows web servers."
        },
        "allowedValues": [
          "1.2"
        ],
        "defaultValue": "1.2"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "adaptiveNetworkHardeningRecommendationsShouldBeAppliedOnInternetFacingVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.13.1",
          "NIST_SP_800-171_R2_3.13.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityDesignateMoreThanOneOwnerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.1.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diskEncryptionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.13.16"
        ]
      },
      {
        "policyDefinitionReferenceId": "emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.1.1",
          "NIST_SP_800-171_R2_3.1.12"
        ]
      },
      {
        "policyDefinitionReferenceId": "AdministratorsGroupInsideWindowsVMsExcludesTheSpecifiedMembers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "membersToExclude": {
            "value": "[parameters('membersToExcludeInLocalAdministratorsGroup')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.1.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlDbEncryptionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.13.16"
        ]
      },
      {
        "policyDefinitionReferenceId": "1bc1795ed44a4d489b3b6fff0fd5f9ba",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "parameters": {
          "phpLatestVersion": {
            "value": "[parameters('pHPLatestVersionForAppServices')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInRedisCacheMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.13.1",
          "NIST_SP_800-171_R2_3.13.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.5.2",
          "NIST_SP_800-171_R2_3.5.7",
          "NIST_SP_800-171_R2_3.5.8",
          "NIST_SP_800-171_R2_3.1.1",
          "NIST_SP_800-171_R2_3.1.12",
          "NIST_SP_800-171_R2_3.5.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.5.2",
          "NIST_SP_800-171_R2_3.5.7",
          "NIST_SP_800-171_R2_3.5.8",
          "NIST_SP_800-171_R2_3.1.1",
          "NIST_SP_800-171_R2_3.1.12",
          "NIST_SP_800-171_R2_3.5.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.5.2",
          "NIST_SP_800-171_R2_3.5.7",
          "NIST_SP_800-171_R2_3.5.8",
          "NIST_SP_800-171_R2_3.1.1",
          "NIST_SP_800-171_R2_3.1.12",
          "NIST_SP_800-171_R2_3.5.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1221c620-d201-468c-81e7-2817e6107e84",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.5.2",
          "NIST_SP_800-171_R2_3.5.7",
          "NIST_SP_800-171_R2_3.5.8",
          "NIST_SP_800-171_R2_3.1.1",
          "NIST_SP_800-171_R2_3.1.12",
          "NIST_SP_800-171_R2_3.5.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.5.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "vmssEndpointProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "logAnalyticsOSImageAudit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50",
        "parameters": {
          "listOfImageIdToInclude_windows": {
            "value": "[parameters('windowsImagesToAddToLogAgentAuditScope')]"
          },
          "listOfImageIdToInclude_linux": {
            "value": "[parameters('linuxImagesToAddToLogAgentAuditScope')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.3.1",
          "NIST_SP_800-171_R2_3.3.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditLinuxVmAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.5.2",
          "NIST_SP_800-171_R2_3.5.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "disableUnrestrictedNetworkToStorageAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.1.1",
          "NIST_SP_800-171_R2_3.1.12",
          "NIST_SP_800-171_R2_3.13.1",
          "NIST_SP_800-171_R2_3.13.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "vmssOsVulnerabilitiesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.11.2",
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "secureTransferToStorageAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.13.1",
          "NIST_SP_800-171_R2_3.13.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "adaptiveApplicationControlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.4.7",
          "NIST_SP_800-171_R2_3.4.8",
          "NIST_SP_800-171_R2_3.4.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "496223c3ad654ecd878abae78737e9ed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
        "parameters": {
          "javaLatestVersion": {
            "value": "[parameters('javaLatestVersionForAppServices')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityDesignateLessThanOwnersMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.1.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "securityContactEmailAddressForSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppRestrictCORSAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "logAnalyticsOSImageVMSSAudit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138",
        "parameters": {
          "listOfImageIdToInclude_windows": {
            "value": "[parameters('windowsImagesToAddToLogAgentAuditScope')]"
          },
          "listOfImageIdToInclude_linux": {
            "value": "[parameters('linuxImagesToAddToLogAgentAuditScope')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.3.1",
          "NIST_SP_800-171_R2_3.3.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithReadPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.13.1",
          "NIST_SP_800-171_R2_3.13.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "7008174afd104ef0817efc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {
          "linuxPythonLatestVersion": {
            "value": "[parameters('linuxPythonLatestVersionForAppServices')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "7238174afd104ef0817efc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {
          "linuxPythonLatestVersion": {
            "value": "[parameters('linuxPythonLatestVersionForAppServices')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "7261b8988a844db89e0418527132abb3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
        "parameters": {
          "phpLatestVersion": {
            "value": "[parameters('pHPLatestVersionForAppServices')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmShouldNotAllowPrevious24Passwords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.5.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "74c3584dafae46f7a20a6f8adba71a16",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
        "parameters": {
          "linuxPythonLatestVersion": {
            "value": "[parameters('linuxPythonLatestVersionForAppServices')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.11.2",
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmEnforcesPasswordComplexityRequirements",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.5.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "7f89b1eb583c429a8828af049802c1d9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
        "parameters": {
          "listOfResourceTypes": {
            "value": "[parameters('listOfResourceTypesForDiagnosticLogs')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.3.1",
          "NIST_SP_800-171_R2_3.3.2",
          "NIST_SP_800-171_R2_3.3.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "systemUpdatesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "88999f4c376a45c8bcb34058f713cf39",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
        "parameters": {
          "javaLatestVersion": {
            "value": "[parameters('javaLatestVersionForAppServices')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureHTTPVersionLatestForWebApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "apiAppRequireLatestTlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.13.1",
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da0f98fe-a24b-4ad5-af69-bd0400233661",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.5.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.5.1",
          "NIST_SP_800-171_R2_3.5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "AdministratorsGroupInsideWindowsVMsIncludesTheSpecifiedMembers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "membersToInclude": {
            "value": "[parameters('membersToIncludeInLocalAdministratorsGroup')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.1.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureHTTPVersionLatestForAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "anitmalwareRequiredForWindowsServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "9d0b6ea493e24578bf2f6bb17d22b4bc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "parameters": {
          "javaLatestVersion": {
            "value": "[parameters('javaLatestVersionForAppServices')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "nextGenerationFirewallMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.13.1",
          "NIST_SP_800-171_R2_3.13.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.13.1",
          "NIST_SP_800-171_R2_3.13.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlServerAuditingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.3.1",
          "NIST_SP_800-171_R2_3.3.2",
          "NIST_SP_800-171_R2_3.3.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "theLogAnalyticsAgentShouldBeInstalledOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.3.1",
          "NIST_SP_800-171_R2_3.3.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.5.1",
          "NIST_SP_800-171_R2_3.5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "advancedDataSecurityShouldBeEnabledOnYourSQLServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.3.1",
          "NIST_SP_800-171_R2_3.3.2",
          "NIST_SP_800-171_R2_3.3.4",
          "NIST_SP_800-171_R2_3.11.2",
          "NIST_SP_800-171_R2_3.13.16",
          "NIST_SP_800-171_R2_3.14.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "advancedDataSecurityShouldBeEnabledOnYourSQLManagedInstances",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.3.1",
          "NIST_SP_800-171_R2_3.3.2",
          "NIST_SP_800-171_R2_3.3.4",
          "NIST_SP_800-171_R2_3.11.2",
          "NIST_SP_800-171_R2_3.13.16",
          "NIST_SP_800-171_R2_3.14.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "endpointProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditWindowsTLS",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "minimumTLSVersion": {
            "value": "[parameters('minimumTLSVersionForWindowsServers')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.13.1",
          "NIST_SP_800-171_R2_3.13.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "networkWatcherShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "parameters": {
          "resourceGroupName": {
            "value": "[parameters('NetworkWatcherResourceGroupName')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "apiAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.13.1",
          "NIST_SP_800-171_R2_3.13.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.1.1",
          "NIST_SP_800-171_R2_3.1.12"
        ]
      },
      {
        "policyDefinitionReferenceId": "systemConfigurationsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.11.2",
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureHTTPVersionLatestForFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForReadPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "containerBenchmarkMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.11.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "apiAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.1.1",
          "NIST_SP_800-171_R2_3.1.12"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.1.1",
          "NIST_SP_800-171_R2_3.1.12"
        ]
      },
      {
        "policyDefinitionReferenceId": "theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSets",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.3.1",
          "NIST_SP_800-171_R2_3.3.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppRequireLatestTlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.13.1",
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditLinuxVmPasswdFilePermissions",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.5.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditLogAnalyticsWorkspaceForVmReportMismatch",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917",
        "parameters": {
          "logAnalyticsWorkspaceId": {
            "value": "[parameters('logAnalyticsWorkspaceIDForVMAgents')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-171_R2_3.3.1",
          "NIST_SP_800-171_R2_3.3.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "networkSecurityGroupsOnVirtualMachinesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.13.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppRequireLatestTlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.13.1",
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "kubernetesServiceVersionUpToDateMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.14.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlDbVulnerabilityAssesmentMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-171_R2_3.11.2",
          "NIST_SP_800-171_R2_3.14.1"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "NIST_SP_800-171_R2_3.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.1"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.2"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.3"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.4"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.5"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.6"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.7"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.8"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.9"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.10"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.11"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.12"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.13"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.14"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.15"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.16"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.17"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.18"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.19"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.20"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.21"
      },
      {
        "name": "NIST_SP_800-171_R2_3.1.22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.1.22"
      },
      {
        "name": "NIST_SP_800-171_R2_3.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.2.1"
      },
      {
        "name": "NIST_SP_800-171_R2_3.2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.2.2"
      },
      {
        "name": "NIST_SP_800-171_R2_3.2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.2.3"
      },
      {
        "name": "NIST_SP_800-171_R2_3.3.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.3.1"
      },
      {
        "name": "NIST_SP_800-171_R2_3.3.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.3.2"
      },
      {
        "name": "NIST_SP_800-171_R2_3.3.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.3.3"
      },
      {
        "name": "NIST_SP_800-171_R2_3.3.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.3.4"
      },
      {
        "name": "NIST_SP_800-171_R2_3.3.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.3.5"
      },
      {
        "name": "NIST_SP_800-171_R2_3.3.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.3.6"
      },
      {
        "name": "NIST_SP_800-171_R2_3.3.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.3.7"
      },
      {
        "name": "NIST_SP_800-171_R2_3.3.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.3.8"
      },
      {
        "name": "NIST_SP_800-171_R2_3.3.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.3.9"
      },
      {
        "name": "NIST_SP_800-171_R2_3.4.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.4.1"
      },
      {
        "name": "NIST_SP_800-171_R2_3.4.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.4.2"
      },
      {
        "name": "NIST_SP_800-171_R2_3.4.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.4.3"
      },
      {
        "name": "NIST_SP_800-171_R2_3.4.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.4.4"
      },
      {
        "name": "NIST_SP_800-171_R2_3.4.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.4.5"
      },
      {
        "name": "NIST_SP_800-171_R2_3.4.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.4.6"
      },
      {
        "name": "NIST_SP_800-171_R2_3.4.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.4.7"
      },
      {
        "name": "NIST_SP_800-171_R2_3.4.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.4.8"
      },
      {
        "name": "NIST_SP_800-171_R2_3.4.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.4.9"
      },
      {
        "name": "NIST_SP_800-171_R2_3.5.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.5.1"
      },
      {
        "name": "NIST_SP_800-171_R2_3.5.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.5.2"
      },
      {
        "name": "NIST_SP_800-171_R2_3.5.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.5.3"
      },
      {
        "name": "NIST_SP_800-171_R2_3.5.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.5.4"
      },
      {
        "name": "NIST_SP_800-171_R2_3.5.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.5.5"
      },
      {
        "name": "NIST_SP_800-171_R2_3.5.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.5.6"
      },
      {
        "name": "NIST_SP_800-171_R2_3.5.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.5.7"
      },
      {
        "name": "NIST_SP_800-171_R2_3.5.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.5.8"
      },
      {
        "name": "NIST_SP_800-171_R2_3.5.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.5.9"
      },
      {
        "name": "NIST_SP_800-171_R2_3.5.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.5.10"
      },
      {
        "name": "NIST_SP_800-171_R2_3.5.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.5.11"
      },
      {
        "name": "NIST_SP_800-171_R2_3.6.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.6.1"
      },
      {
        "name": "NIST_SP_800-171_R2_3.6.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.6.2"
      },
      {
        "name": "NIST_SP_800-171_R2_3.6.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.6.3"
      },
      {
        "name": "NIST_SP_800-171_R2_3.7.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.7.1"
      },
      {
        "name": "NIST_SP_800-171_R2_3.7.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.7.2"
      },
      {
        "name": "NIST_SP_800-171_R2_3.7.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.7.3"
      },
      {
        "name": "NIST_SP_800-171_R2_3.7.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.7.4"
      },
      {
        "name": "NIST_SP_800-171_R2_3.7.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.7.5"
      },
      {
        "name": "NIST_SP_800-171_R2_3.7.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.7.6"
      },
      {
        "name": "NIST_SP_800-171_R2_3.8.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.8.1"
      },
      {
        "name": "NIST_SP_800-171_R2_3.8.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.8.2"
      },
      {
        "name": "NIST_SP_800-171_R2_3.8.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.8.3"
      },
      {
        "name": "NIST_SP_800-171_R2_3.8.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.8.4"
      },
      {
        "name": "NIST_SP_800-171_R2_3.8.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.8.5"
      },
      {
        "name": "NIST_SP_800-171_R2_3.8.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.8.6"
      },
      {
        "name": "NIST_SP_800-171_R2_3.8.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.8.7"
      },
      {
        "name": "NIST_SP_800-171_R2_3.8.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.8.8"
      },
      {
        "name": "NIST_SP_800-171_R2_3.8.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.8.9"
      },
      {
        "name": "NIST_SP_800-171_R2_3.9.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.9.1"
      },
      {
        "name": "NIST_SP_800-171_R2_3.9.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.9.2"
      },
      {
        "name": "NIST_SP_800-171_R2_3.10.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.10.1"
      },
      {
        "name": "NIST_SP_800-171_R2_3.10.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.10.2"
      },
      {
        "name": "NIST_SP_800-171_R2_3.10.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.10.3"
      },
      {
        "name": "NIST_SP_800-171_R2_3.10.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.10.4"
      },
      {
        "name": "NIST_SP_800-171_R2_3.10.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.10.5"
      },
      {
        "name": "NIST_SP_800-171_R2_3.10.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.10.6"
      },
      {
        "name": "NIST_SP_800-171_R2_3.11.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.11.1"
      },
      {
        "name": "NIST_SP_800-171_R2_3.11.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.11.2"
      },
      {
        "name": "NIST_SP_800-171_R2_3.11.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.11.3"
      },
      {
        "name": "NIST_SP_800-171_R2_3.12.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.12.1"
      },
      {
        "name": "NIST_SP_800-171_R2_3.12.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.12.2"
      },
      {
        "name": "NIST_SP_800-171_R2_3.12.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.12.3"
      },
      {
        "name": "NIST_SP_800-171_R2_3.12.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.12.4"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.1"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.2"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.3"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.4"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.5"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.6"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.7"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.8"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.9"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.10"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.11"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.12"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.13"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.14"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.15"
      },
      {
        "name": "NIST_SP_800-171_R2_3.13.16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.13.16"
      },
      {
        "name": "NIST_SP_800-171_R2_3.14.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.14.1"
      },
      {
        "name": "NIST_SP_800-171_R2_3.14.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.14.2"
      },
      {
        "name": "NIST_SP_800-171_R2_3.14.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.14.3"
      },
      {
        "name": "NIST_SP_800-171_R2_3.14.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.14.4"
      },
      {
        "name": "NIST_SP_800-171_R2_3.14.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.14.5"
      },
      {
        "name": "NIST_SP_800-171_R2_3.14.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.14.6"
      },
      {
        "name": "NIST_SP_800-171_R2_3.14.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-171_R2_3.14.7"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/03055927-78bd-4236-86c0-f36125a10dc9",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "03055927-78bd-4236-86c0-f36125a10dc9"
}
BuiltIn Regulatory Compliance False True n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Preview]: NIST SP 800-53 Rev. 5",
    "policyType": "BuiltIn",
    "description": "This initiative includes policies that address a subset of NIST SP 800-53 Rev. 5 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r5-initiative.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Regulatory Compliance",
      "preview": true
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating guest configuration policies",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine; for more information, visit https://aka.ms/policy-pricing"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40": {
        "type": "String",
        "metadata": {
          "displayName": "Status if Windows Defender is not available on machine",
          "description": "Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value to 'Non-Compliant' shows machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) as non-compliant. Setting this value to 'Compliant' shows these machines as compliant."
        },
        "allowedValues": [
          "Compliant",
          "Non-Compliant"
        ],
        "defaultValue": "Compliant"
      },
      "MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum TLS version for Windows web servers",
          "description": "Windows web servers with lower TLS versions will be assessed as non-compliant"
        },
        "allowedValues": [
          "1.1",
          "1.2"
        ],
        "defaultValue": "1.2"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for resource logs"
        },
        "defaultValue": "365"
      },
      "effect-febd0533-8e55-448f-b837-bd0e06f16469": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed images",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces excluded from evaluation of Kubernetes cluster policies in this initiative",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces included for evaluation of Kubernetes cluster policies in this initiative",
          "description": "List of Kubernetes namespaces to (only) include for policy evaluation; an empty list will result in policies evaluated on all resources in all namespaces"
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector for resources included for evaluation of Kubernetes cluster policies in this initiative",
          "description": "Label query to select Kubernetes resources to include for policy evaluation; an empty label selector will result in policies evaluated on all Kubernetes resources"
        },
        "defaultValue": {}
      },
      "allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469": {
        "type": "String",
        "metadata": {
          "displayName": "Allowed container images for Kubernetes clusters",
          "description": "Regular expression used to match allowed container images in a Kubernetes cluster; Ex: allow any Azure Container Registry image by matching partial path: ^.+azurecr.io/.+$"
        },
        "defaultValue": "^(.+){0}$"
      },
      "effect-95edb821-ddaf-4404-9732-666045e056b4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster should not allow privileged containers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedContainers-95edb821-ddaf-4404-9732-666045e056b4": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes containers excluded from evaluation of policy: Kubernetes cluster should not allow privileged containers",
          "description": "The list of InitContainers and Containers to exclude from policy evaluation. The list should use the container name. Use an empty list to apply this policy to all containers in all namespaces."
        },
        "defaultValue": []
      },
      "effect-440b515e-a580-421e-abeb-b159a61ddcbc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only listen on allowed ports",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedContainerPortsList-440b515e-a580-421e-abeb-b159a61ddcbc": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed listener ports for Kubernetes cluster containers",
          "description": "List of container ports on which Kubernetes cluster containers are allowed to listen"
        },
        "defaultValue": []
      },
      "effect-233a2a17-77ca-4fb1-9b6b-69223d272a44": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster services should listen only on allowed ports",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedServicePortsList-233a2a17-77ca-4fb1-9b6b-69223d272a44": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed listener ports for Kubernetes cluster services",
          "description": "The list of ports on which Kubernetes cluster services are allowed to listen"
        },
        "defaultValue": []
      },
      "effect-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum allowed CPU units for containers in Kubernetes clusters",
          "description": "Ex: 200m; for more information, visit https://aka.ms/k8s-policy-pod-limits"
        },
        "defaultValue": "0"
      },
      "memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum allowed memory (bytes) for a container in Kubernetes clusters",
          "description": "Ex: 1Gi; for more information, visit https://aka.ms/k8s-policy-pod-limits"
        },
        "defaultValue": "0"
      },
      "effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pods and containers should only run with approved user and group IDs",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Run as user rule for Kubernetes containers",
          "description": "The 'RunAsUser' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MustRunAsNonRoot",
          "RunAsAny"
        ],
        "defaultValue": "MustRunAsNonRoot"
      },
      "runAsUserRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed user ID ranges for Kubernetes containers",
          "description": "User ID ranges that are allowed for containers to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Run as group rule for Kubernetes containers",
          "description": "The 'RunAsGroup' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "runAsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed group ID ranges for Kubernetes containers",
          "description": "Group ID ranges that are allowed for containers to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Supplemental group rule for Kubernetes containers",
          "description": "The 'SupplementalGroups' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "supplementalGroupsRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed supplemental group ID ranges for Kubernetes containers",
          "description": "Supplemental group ID ranges that are allowed for containers to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "File system group rule for Kubernetes containers",
          "description": "The 'FSGroup' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "fsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed file system group ID ranges for Kubernetes cluster pods",
          "description": "File system group ranges that are allowed for pods to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes clusters should not allow container privilege escalation",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should not share host process ID or host IPC namespace",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-df49d893-a74c-421d-bc95-c663042e5b80": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should run with a read only root file system",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes clusters should be accessible only over HTTPS",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed capabilities",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "Array",
        "metadata": {
          "displayName": "List of capabilities that are allowed to be added to a Kubernetes cluster container",
          "description": "Use an empty list as input to block everything"
        },
        "defaultValue": []
      },
      "requiredDropCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "Array",
        "metadata": {
          "displayName": "The list of capabilities that must be dropped by a Kubernetes cluster container",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": []
      },
      "effect-511f5417-5d12-434d-ab2e-816901e72a5e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed AppArmor profiles",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedProfiles-511f5417-5d12-434d-ab2e-816901e72a5e": {
        "type": "Array",
        "metadata": {
          "displayName": "The list of AppArmor profiles that containers are allowed to use",
          "description": "Ex: 'runtime/default;docker/default'; use an empty list as input to block everything; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": []
      },
      "effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pods should only use approved host network and port range",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Allow host network usage for Kubernetes cluster pods",
          "description": "Set this value to true if pod is allowed to use host network, otherwise set to false; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": false
      },
      "minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Integer",
        "metadata": {
          "displayName": "Minimum value in the allowable host port range that Kubernetes cluster pods can use in the host network namespace",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": 0
      },
      "maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Integer",
        "metadata": {
          "displayName": "Maximum value in the allowable host port range that Kubernetes cluster pods can use in the host network namespace",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": 0
      },
      "effect-098fc59e-46c7-4d99-9b16-64990e543d75": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pod hostPath volumes should only use allowed host paths",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedHostPaths-098fc59e-46c7-4d99-9b16-64990e543d75": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed host paths for pod hostPath volumes to use",
          "description": "Use an empty paths list to block all host paths; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "paths": []
        }
      },
      "resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6": {
        "type": "String",
        "metadata": {
          "displayName": "Name of the resource group for Network Watcher",
          "description": "Name of the resource group where Network Watchers are located, Ex: NetworkWatcherRG"
        },
        "defaultValue": "NetworkWatcherRG"
      },
      "includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Include AKS clusters when auditing if virtual machine scale set diagnostic logs are enabled",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": false
      },
      "setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9": {
        "type": "String",
        "metadata": {
          "displayName": "Required auditing setting for SQL servers"
        },
        "allowedValues": [
          "enabled",
          "disabled"
        ],
        "defaultValue": "enabled"
      },
      "evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b": {
        "type": "Array",
        "metadata": {
          "displayName": "API Management SKUs that should use a virtual network",
          "description": "List of API Management SKUs against which this policy will be evaluated"
        },
        "allowedValues": [
          "Developer",
          "Basic",
          "Standard",
          "Premium",
          "Consumption"
        ],
        "defaultValue": [
          "Developer",
          "Premium"
        ]
      },
      "effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Service Fabric clusters should only use Azure Active Directory for client authentication",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-71ef260a-8f18-47b7-abcb-62d0673d94dc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should have local authentication methods disabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Azure Front Door Service service",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Application Gateway",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cosmos DB accounts should have firewall rules",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d9da03a1-f3c3-412a-9709-947156872263": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-617c02be-7f02-4efd-8836-3180d47b6c68": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key vaults should have purge protection enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key vaults should have soft delete enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "maximumValidityInMonths-0a075868-4c26-42ef-914c-5bc007359560": {
        "type": "Integer",
        "metadata": {
          "displayName": "Maximum validity (months) for Key Vault certificates",
          "description": "The limit for how long a Key Vault certificate may be valid; Azure best practices recommend against certificates with lengthy validity periods"
        },
        "defaultValue": 12
      },
      "effect-0a075868-4c26-42ef-914c-5bc007359560": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Certificates should have the specified maximum validity period",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-98728c90-32c7-4049-8429-847dc0f4fe37": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key Vault secrets should have an expiration date",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key Vault keys should have an expiration date",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Double encryption should be enabled on Azure Data Explorer",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-c349d81b-9985-44ae-a8da-ff98d108ede8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Data Box jobs should enable double encryption for data at rest on the device",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "supportedSKUs-c349d81b-9985-44ae-a8da-ff98d108ede8": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Data Box SKUs that support software-based double encryption",
          "description": "The list of Azure Data Box SKUs that support software-based double encryption"
        },
        "allowedValues": [
          "DataBox",
          "DataBoxHeavy"
        ],
        "defaultValue": [
          "DataBox",
          "DataBoxHeavy"
        ]
      },
      "effect-3657f5a0-770e-44a3-b44e-9431ba1e9735": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Automation account variables should be encrypted",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Stack Edge devices should use double-encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-ea0dfaed-95fb-448c-934e-d6e713ce393d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-3a58212a-c829-4f13-9872-6371df2fd0b4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Infrastructure encryption should be enabled for Azure Database for MySQL servers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-24fba194-95d6-48c0-aea7-f65bf859c598": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should have infrastructure encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-f4b53539-8df9-40e4-86c6-6b607703bd4e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Disk encryption should be enabled on Azure Data Explorer",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-41425d9f-d1a5-499a-9932-f8ed8453932c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-fc4d8e41-e223-45ea-9bf5-eada37891d87": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Virtual machines and virtual machine scale sets should have encryption at host enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-86efb160-8de7-451d-bc08-5d475b0aadae": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "supportedSKUs-86efb160-8de7-451d-bc08-5d475b0aadae": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Data Box SKUs that support customer-managed key encryption key",
          "description": "The list of Azure Data Box SKUs that support customer-managed key encryption key"
        },
        "allowedValues": [
          "DataBox",
          "DataBoxHeavy"
        ],
        "defaultValue": [
          "DataBox",
          "DataBoxHeavy"
        ]
      },
      "effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure data factories should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-64d314f6-6062-4780-a861-c23e8951bee5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure HDInsight clusters should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure HDInsight clusters should use encryption at host to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-fa298e57-9444-42ba-bf04-86e8470e32c7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should enable data encryption with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Machine Learning workspaces should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-81e74cea-30fd-40d5-802f-d72103c2aaaa": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Data Explorer encryption at rest should use a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Container Instance container group should use customer-managed key for encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "effect-47031206-ce96-41f8-861b-6a915f3de284": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Stream Analytics jobs should use customer-managed keys to encrypt data",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-51522a96-0869-4791-82f3-981000c2c67f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Bot Service should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-b5ec538c-daa0-4006-8596-35468b9148e8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account encryption scopes should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-970f84d8-71b6-4091-9979-ace7e3fb6dbb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: HPC Cache accounts should use customer-managed key for encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Automation accounts should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2e94d99a-8a36-4563-bc77-810d8893b671": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "enableDoubleEncryption-2e94d99a-8a36-4563-bc77-810d8893b671": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Require that double encryption is enabled on Recovery Services vaults for Backup",
          "description": "Check if double encryption is enabled on Recovery Services vaults for Backup; for more information, visit https://aka.ms/ab-infraencryption"
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": true
      },
      "effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Logic Apps Integration Service Environment should be encrypted with customer-managed keys",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Batch account should use customer-managed keys to encrypt data",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1f68a601-6e6d-4e42-babf-3f643a047ea2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Monitor Logs clusters should be encrypted with customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-f7d52b2d-e161-4dfa-a82b-55e564167385": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Synapse workspaces should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ca91455f-eace-4f96-be59-e6e2c35b4816": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Managed disks should be double encrypted with both platform-managed and customer-managed keys",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-702dd420-7fcc-42c5-afe8-4026edd20fe0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: OS and data disks should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Only secure connections to your Azure Cache for Redis should be enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-404c3081-a854-4457-ae30-26a93ef643f9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Secure transfer to storage accounts should be enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d0793b48-0edc-4296-a390-4c75d1bdfd71": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should not allow unrestricted network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-7d092e0a-7acd-40d2-a975-dca21cae48c4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cache for Redis should reside within a virtual network",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access using virtual network rules",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-34c877ad-507e-4c82-993e-3452a6e0ad3c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-55615ac9-af46-4a59-874e-391cc3dfb490": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Key Vault should disable public network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1b8ca024-1d5c-4dec-8995-b1a932b41780": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access on Azure SQL Database should be disabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-037eea7a-bd0a-46c5-9a66-03aea78705d3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should restrict network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-53503636-bcc9-4748-9663-5348217f160f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure SignalR Service should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-40cec1dd-a100-4920-b15b-3024fe8901ab": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Machine Learning workspaces should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2154edb9-244f-4741-9970-660785bccdaa": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: VM Image Builder templates should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should disable public network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-5f0bc445-3935-4915-9981-011aa2b46147": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Private endpoint should be configured for Key Vault",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-af35e2a4-ef96-44e7-a9ae-853dd97032c4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Spring Cloud should use network injection",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Spring Cloud SKUs that should use network injection",
          "description": "List of Azure Spring Cloud SKUs against which this policy will be evaluated"
        },
        "allowedValues": [
          "Standard"
        ],
        "defaultValue": [
          "Standard"
        ]
      },
      "effect-a049bf77-880b-470f-ba6d-9f21c530cf83": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cognitive Search service should use a SKU that supports private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-52630df9-ca7e-442b-853b-c6ce548b31a2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Web PubSub Service should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account public access should be disallowed",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-ee980b6d-0eca-4501-8d54-f6290fd512c3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cognitive Search services should disable public network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Virtual machines should be migrated to new Azure Resource Manager resources",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should be migrated to new Azure Resource Manager resources",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "72650e9f-97bc-4b2a-ab5f-9781a9fcecbc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "fc9b3da7-8347-4380-8e70-0a0361d8dedd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "bed48b13-6647-468e-aa2f-1af1d3f4dd40",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "NotAvailableMachineState": {
            "value": "[parameters('NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-3",
          "NIST_SP_800-53_R5_SI-3",
          "NIST_SP_800-53_R5_SI-16"
        ]
      },
      {
        "policyDefinitionReferenceId": "e6955644-301c-44b5-a4c4-528577de6861",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_IA-5",
          "NIST_SP_800-53_R5_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "da0f98fe-a24b-4ad5-af69-bd0400233661",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da0f98fe-a24b-4ad5-af69-bd0400233661",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_IA-5",
          "NIST_SP_800-53_R5_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4ceb8dc2-559c-478b-a15b-733fbf1e3738",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ceb8dc2-559c-478b-a15b-733fbf1e3738",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MinimumTLSVersion": {
            "value": "[parameters('MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "630c64f9-8b6b-4c64-b511-6544ceff6fd6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-3",
          "NIST_SP_800-53_R5_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "237b38db-ca4d-4259-9e47-7882441ca2c0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237b38db-ca4d-4259-9e47-7882441ca2c0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "34f95f76-5386-4de7-b824-0d8478470c9d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "428256e6-1fac-4f48-a757-df34c2b3336d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "febd0533-8e55-448f-b837-bd0e06f16469",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-febd0533-8e55-448f-b837-bd0e06f16469')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedContainerImagesRegex": {
            "value": "[parameters('allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "95edb821-ddaf-4404-9732-666045e056b4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-95edb821-ddaf-4404-9732-666045e056b4')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "excludedContainers": {
            "value": "[parameters('excludedContainers-95edb821-ddaf-4404-9732-666045e056b4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "440b515e-a580-421e-abeb-b159a61ddcbc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-440b515e-a580-421e-abeb-b159a61ddcbc')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedContainerPortsList": {
            "value": "[parameters('allowedContainerPortsList-440b515e-a580-421e-abeb-b159a61ddcbc')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "233a2a17-77ca-4fb1-9b6b-69223d272a44",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-233a2a17-77ca-4fb1-9b6b-69223d272a44')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedServicePortsList": {
            "value": "[parameters('allowedServicePortsList-233a2a17-77ca-4fb1-9b6b-69223d272a44')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "e345eecc-fa47-480f-9e88-67dcc122b164",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "cpuLimit": {
            "value": "[parameters('cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          },
          "memoryLimit": {
            "value": "[parameters('memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "f06ddb64-5fa3-4b77-b166-acb36f7f6042",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "runAsUserRule": {
            "value": "[parameters('runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "runAsUserRanges": {
            "value": "[parameters('runAsUserRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "runAsGroupRule": {
            "value": "[parameters('runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "runAsGroupRanges": {
            "value": "[parameters('runAsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "supplementalGroupsRule": {
            "value": "[parameters('supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "supplementalGroupsRanges": {
            "value": "[parameters('supplementalGroupsRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "fsGroupRule": {
            "value": "[parameters('fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "fsGroupRanges": {
            "value": "[parameters('fsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "df49d893-a74c-421d-bc95-c663042e5b80",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-df49d893-a74c-421d-bc95-c663042e5b80')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedCapabilities": {
            "value": "[parameters('allowedCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          },
          "requiredDropCapabilities": {
            "value": "[parameters('requiredDropCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "511f5417-5d12-434d-ab2e-816901e72a5e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-511f5417-5d12-434d-ab2e-816901e72a5e')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedProfiles": {
            "value": "[parameters('allowedProfiles-511f5417-5d12-434d-ab2e-816901e72a5e')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowHostNetwork": {
            "value": "[parameters('allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "minPort": {
            "value": "[parameters('minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "maxPort": {
            "value": "[parameters('maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "098fc59e-46c7-4d99-9b16-64990e543d75",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-098fc59e-46c7-4d99-9b16-64990e543d75')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedHostPaths": {
            "value": "[parameters('allowedHostPaths-098fc59e-46c7-4d99-9b16-64990e543d75')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "parameters": {
          "resourceGroupName": {
            "value": "[parameters('resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "7c1b1214-f927-48bf-8882-84f0af6588b1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1",
        "parameters": {
          "includeAKSClusters": {
            "value": "[parameters('includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {
          "setting": {
            "value": "[parameters('setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ef619a2c-cc4d-4d03-b2ba-8c94a834d85b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b",
        "parameters": {
          "evaluatedSkuNames": {
            "value": "[parameters('evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2",
          "NIST_SP_800-53_R5_AC-2(1)",
          "NIST_SP_800-53_R5_AC-2(7)",
          "NIST_SP_800-53_R5_AC-3",
          "NIST_SP_800-53_R5_IA-2",
          "NIST_SP_800-53_R5_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "71ef260a-8f18-47b7-abcb-62d0673d94dc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-71ef260a-8f18-47b7-abcb-62d0673d94dc')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2",
          "NIST_SP_800-53_R5_AC-2(1)",
          "NIST_SP_800-53_R5_AC-2(7)",
          "NIST_SP_800-53_R5_AC-3",
          "NIST_SP_800-53_R5_IA-2",
          "NIST_SP_800-53_R5_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "055aa869-bc98-4af8-bafc-23f1ab6ffe2c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-5",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-5",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "d9da03a1-f3c3-412a-9709-947156872263",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9da03a1-f3c3-412a-9709-947156872263",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d9da03a1-f3c3-412a-9709-947156872263')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "617c02be-7f02-4efd-8836-3180d47b6c68",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-617c02be-7f02-4efd-8836-3180d47b6c68')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "0a075868-4c26-42ef-914c-5bc007359560",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560",
        "parameters": {
          "maximumValidityInMonths": {
            "value": "[parameters('maximumValidityInMonths-0a075868-4c26-42ef-914c-5bc007359560')]"
          },
          "effect": {
            "value": "[parameters('effect-0a075868-4c26-42ef-914c-5bc007359560')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "98728c90-32c7-4049-8429-847dc0f4fe37",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-98728c90-32c7-4049-8429-847dc0f4fe37')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ec068d99-e9c7-401f-8cef-5bdde4e6ccf1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c349d81b-9985-44ae-a8da-ff98d108ede8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c349d81b-9985-44ae-a8da-ff98d108ede8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c349d81b-9985-44ae-a8da-ff98d108ede8')]"
          },
          "supportedSKUs": {
            "value": "[parameters('supportedSKUs-c349d81b-9985-44ae-a8da-ff98d108ede8')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3657f5a0-770e-44a3-b44e-9431ba1e9735')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b4ac1030-89c5-4697-8e00-28b5ba6a8811",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4ac1030-89c5-4697-8e00-28b5ba6a8811",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ea0dfaed-95fb-448c-934e-d6e713ce393d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea0dfaed-95fb-448c-934e-d6e713ce393d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ea0dfaed-95fb-448c-934e-d6e713ce393d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "3a58212a-c829-4f13-9872-6371df2fd0b4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3a58212a-c829-4f13-9872-6371df2fd0b4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "24fba194-95d6-48c0-aea7-f65bf859c598",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/24fba194-95d6-48c0-aea7-f65bf859c598",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-24fba194-95d6-48c0-aea7-f65bf859c598')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4733ea7b-a883-42fe-8cac-97454c2a9e4a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "f4b53539-8df9-40e4-86c6-6b607703bd4e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f4b53539-8df9-40e4-86c6-6b607703bd4e')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "41425d9f-d1a5-499a-9932-f8ed8453932c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-41425d9f-d1a5-499a-9932-f8ed8453932c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "fc4d8e41-e223-45ea-9bf5-eada37891d87",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fc4d8e41-e223-45ea-9bf5-eada37891d87')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "86efb160-8de7-451d-bc08-5d475b0aadae",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-86efb160-8de7-451d-bc08-5d475b0aadae')]"
          },
          "supportedSKUs": {
            "value": "[parameters('supportedSKUs-86efb160-8de7-451d-bc08-5d475b0aadae')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "4ec52d6d-beb7-40c4-9a9e-fe753254690e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "64d314f6-6062-4780-a861-c23e8951bee5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64d314f6-6062-4780-a861-c23e8951bee5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-64d314f6-6062-4780-a861-c23e8951bee5')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "fa298e57-9444-42ba-bf04-86e8470e32c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa298e57-9444-42ba-bf04-86e8470e32c7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fa298e57-9444-42ba-bf04-86e8470e32c7')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "67121cc7-ff39-4ab8-b7e3-95b84dab487d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1f905d99-2ab7-462c-a6b0-f709acca6c8f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ba769a63-b8cc-4b2d-abf6-ac33c7204be8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "81e74cea-30fd-40d5-802f-d72103c2aaaa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-81e74cea-30fd-40d5-802f-d72103c2aaaa')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "0aa61e00-0a01-4a3c-9945-e93cffedf0e6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "47031206-ce96-41f8-861b-6a915f3de284",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47031206-ce96-41f8-861b-6a915f3de284",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-47031206-ce96-41f8-861b-6a915f3de284')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "87ba29ef-1ab3-4d82-b763-87fcd4f531f7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "51522a96-0869-4791-82f3-981000c2c67f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-51522a96-0869-4791-82f3-981000c2c67f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "b5ec538c-daa0-4006-8596-35468b9148e8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b5ec538c-daa0-4006-8596-35468b9148e8')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "970f84d8-71b6-4091-9979-ace7e3fb6dbb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/970f84d8-71b6-4091-9979-ace7e3fb6dbb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-970f84d8-71b6-4091-9979-ace7e3fb6dbb')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "56a5ee18-2ae6-4810-86f7-18e39ce5629b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "2e94d99a-8a36-4563-bc77-810d8893b671",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2e94d99a-8a36-4563-bc77-810d8893b671')]"
          },
          "enableDoubleEncryption": {
            "value": "[parameters('enableDoubleEncryption-2e94d99a-8a36-4563-bc77-810d8893b671')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "99e9ccd8-3db9-4592-b0d1-14b1715a4d8a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1f68a601-6e6d-4e42-babf-3f643a047ea2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f68a601-6e6d-4e42-babf-3f643a047ea2",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1f68a601-6e6d-4e42-babf-3f643a047ea2')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "f7d52b2d-e161-4dfa-a82b-55e564167385",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f7d52b2d-e161-4dfa-a82b-55e564167385')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "7d7be79c-23ba-4033-84dd-45e2a5ccdd67",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ca91455f-eace-4f96-be59-e6e2c35b4816",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ca91455f-eace-4f96-be59-e6e2c35b4816')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "702dd420-7fcc-42c5-afe8-4026edd20fe0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-702dd420-7fcc-42c5-afe8-4026edd20fe0')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "404c3081-a854-4457-ae30-26a93ef643f9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-404c3081-a854-4457-ae30-26a93ef643f9')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "d0793b48-0edc-4296-a390-4c75d1bdfd71",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d0793b48-0edc-4296-a390-4c75d1bdfd71')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7d092e0a-7acd-40d2-a975-dca21cae48c4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7d092e0a-7acd-40d2-a975-dca21cae48c4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-34c877ad-507e-4c82-993e-3452a6e0ad3c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "55615ac9-af46-4a59-874e-391cc3dfb490",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-55615ac9-af46-4a59-874e-391cc3dfb490')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1b8ca024-1d5c-4dec-8995-b1a932b41780",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1b8ca024-1d5c-4dec-8995-b1a932b41780')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "037eea7a-bd0a-46c5-9a66-03aea78705d3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-037eea7a-bd0a-46c5-9a66-03aea78705d3')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "53503636-bcc9-4748-9663-5348217f160f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-53503636-bcc9-4748-9663-5348217f160f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "40cec1dd-a100-4920-b15b-3024fe8901ab",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-40cec1dd-a100-4920-b15b-3024fe8901ab')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "2154edb9-244f-4741-9970-660785bccdaa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2154edb9-244f-4741-9970-660785bccdaa')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "5f0bc445-3935-4915-9981-011aa2b46147",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5f0bc445-3935-4915-9981-011aa2b46147')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "af35e2a4-ef96-44e7-a9ae-853dd97032c4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-af35e2a4-ef96-44e7-a9ae-853dd97032c4')]"
          },
          "evaluatedSkuNames": {
            "value": "[parameters('evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "a049bf77-880b-470f-ba6d-9f21c530cf83",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a049bf77-880b-470f-ba6d-9f21c530cf83')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "52630df9-ca7e-442b-853b-c6ce548b31a2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/52630df9-ca7e-442b-853b-c6ce548b31a2",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-52630df9-ca7e-442b-853b-c6ce548b31a2')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ee980b6d-0eca-4501-8d54-f6290fd512c3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ee980b6d-0eca-4501-8d54-f6290fd512c3')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R5_AC-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "b52376f7-9612-48a1-81cd-1ffe4b61032c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2",
          "NIST_SP_800-53_R5_AC-2(1)",
          "NIST_SP_800-53_R5_AC-2(7)",
          "NIST_SP_800-53_R5_AC-3",
          "NIST_SP_800-53_R5_IA-2",
          "NIST_SP_800-53_R5_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-3(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-4(3)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2",
          "NIST_SP_800-53_R5_AC-6",
          "NIST_SP_800-53_R5_AC-6(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2(12)",
          "NIST_SP_800-53_R5_AC-16",
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_IR-4",
          "NIST_SP_800-53_R5_IR-5",
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-16",
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_IR-4",
          "NIST_SP_800-53_R5_IR-5",
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "89099bee-89e0-4b26-a5f4-165451757743",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AU-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2(12)",
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_CM-7",
          "NIST_SP_800-53_R5_IR-4",
          "NIST_SP_800-53_R5_IR-5",
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SC-3",
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-3",
          "NIST_SP_800-53_R5_SI-4",
          "NIST_SP_800-53_R5_SI-16"
        ]
      },
      {
        "policyDefinitionReferenceId": "47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_CM-7",
          "NIST_SP_800-53_R5_CM-7(2)",
          "NIST_SP_800-53_R5_CM-7(5)",
          "NIST_SP_800-53_R5_CM-10",
          "NIST_SP_800-53_R5_CM-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "0ec47710-77ff-4a3d-9181-6aa50af424d0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_CP-6",
          "NIST_SP_800-53_R5_CP-6(1)",
          "NIST_SP_800-53_R5_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_CP-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "013e242c-8828-4970-87b3-ab247555486d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-3",
          "NIST_SP_800-53_R5_IA-2",
          "NIST_SP_800-53_R5_IA-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "e3576e28-8b17-4677-84c3-db2990658d64",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-3",
          "NIST_SP_800-53_R5_IA-2",
          "NIST_SP_800-53_R5_IA-2(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "6646a0bd-e110-40ca-bb97-84fcee63c414",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2(7)",
          "NIST_SP_800-53_R5_IA-2",
          "NIST_SP_800-53_R5_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-3",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_IA-5",
          "NIST_SP_800-53_R5_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_IR-4",
          "NIST_SP_800-53_R5_IR-5",
          "NIST_SP_800-53_R5_IR-6(2)",
          "NIST_SP_800-53_R5_SI-4(12)"
        ]
      },
      {
        "policyDefinitionReferenceId": "3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "0961003e-5a0a-4549-abde-af6a37f2724d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "26a828e1-e88f-464e-bbb3-c134a282b9de",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-3",
          "NIST_SP_800-53_R5_SI-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2(12)",
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-4(3)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2",
          "NIST_SP_800-53_R5_AC-2(7)",
          "NIST_SP_800-53_R5_AC-6",
          "NIST_SP_800-53_R5_AC-6(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "123a3936-f020-408a-ba0c-47873faf1534",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_CM-7",
          "NIST_SP_800-53_R5_CM-7(2)",
          "NIST_SP_800-53_R5_CM-7(5)",
          "NIST_SP_800-53_R5_CM-10",
          "NIST_SP_800-53_R5_CM-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "48af4db5-9b8b-401c-8e74-076be876a430",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_CP-6",
          "NIST_SP_800-53_R5_CP-6(1)",
          "NIST_SP_800-53_R5_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "9297c21d-2ed6-4474-b48f-163f75654ce3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-3",
          "NIST_SP_800-53_R5_IA-2",
          "NIST_SP_800-53_R5_IA-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2",
          "NIST_SP_800-53_R5_AC-3",
          "NIST_SP_800-53_R5_IA-2",
          "NIST_SP_800-53_R5_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-3",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_IA-5",
          "NIST_SP_800-53_R5_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "6e2593d9-add6-4083-9c9b-4b7d2188c899",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_IR-4",
          "NIST_SP_800-53_R5_IR-5",
          "NIST_SP_800-53_R5_IR-6(2)",
          "NIST_SP_800-53_R5_SI-4(12)"
        ]
      },
      {
        "policyDefinitionReferenceId": "e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "9daedab3-fb2d-461e-b861-71790eead4f6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "a4af4a39-4135-47fb-b175-47fbdf85311d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "048248b0-55cd-46da-b1ff-39efd52db260",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "17k78e20-9358-41c9-923c-fb736d382a12",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-3",
          "NIST_SP_800-53_R5_SI-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e6763cc-5078-4e64-889d-ff4d9a839047",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2(12)",
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_IR-4",
          "NIST_SP_800-53_R5_IR-5",
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "82339799-d096-41ae-8538-b108becf0970",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_CP-6",
          "NIST_SP_800-53_R5_CP-6(1)",
          "NIST_SP_800-53_R5_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "2b9ad585-36bc-4615-b300-fd4435808332",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2",
          "NIST_SP_800-53_R5_AC-3",
          "NIST_SP_800-53_R5_IA-2",
          "NIST_SP_800-53_R5_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_IA-5",
          "NIST_SP_800-53_R5_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0b15565f-aa9e-48ba-8619-45960f2c314d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_IR-4",
          "NIST_SP_800-53_R5_IR-5",
          "NIST_SP_800-53_R5_IR-6(2)",
          "NIST_SP_800-53_R5_SI-4(12)"
        ]
      },
      {
        "policyDefinitionReferenceId": "feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "fc5e4038-4584-4632-8c85-c0448d374b2c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "e71308d3-144b-4262-b144-efdc3cc90517",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2(12)",
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_IR-4",
          "NIST_SP_800-53_R5_IR-5",
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "d62cfe2b-3ab0-4d41-980d-76803b58ca65",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2",
          "NIST_SP_800-53_R5_AC-3",
          "NIST_SP_800-53_R5_IA-2",
          "NIST_SP_800-53_R5_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-3",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_IA-5",
          "NIST_SP_800-53_R5_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "bd352bd5-2853-4985-bf0d-73806b4a5744",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-5",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "6581d072-105e-4418-827f-bd446d56421b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2(12)",
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_IR-4",
          "NIST_SP_800-53_R5_IR-5",
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "a4fe33eb-e377-4efb-ab31-0784311bc499",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "6fac406b-40ca-413b-bf8e-0bf964659c25",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "bb91dfba-c30d-4263-9add-9c2384e659a6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2(12)",
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_IR-4",
          "NIST_SP_800-53_R5_IR-5",
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "a3a6ea0c-e018-4933-9ef0-5aaa1501449b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0a15ec92-a229-4763-bb14-0ea34a568f8d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2(12)",
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_IR-4",
          "NIST_SP_800-53_R5_IR-5",
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ae89ebca-1c92-4898-ac2c-9f63decb045c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2(12)",
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_IR-4",
          "NIST_SP_800-53_R5_IR-5",
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "d26f7642-7545-4e18-9b75-8c9bbdee3a9a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "e8cbc669-f12d-49eb-93e7-9273119e9933",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "83cef61d-dbd1-4b20-a4fc-5fbc7da10833",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2(12)",
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_IR-4",
          "NIST_SP_800-53_R5_IR-5",
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "6ba6d016-e7c3-4842-b8f2-4992ebc0d72d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "22730e10-96f6-4aac-ad84-9383d35b5917",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "18adea5e-f416-4d0f-8aa8-d24321e3e274",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "0564d078-92f5-4f97-8398-b9f58a51f70b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "842c54e8-c2f9-4d79-ae8d-38d8b8019373",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0a1302fb-a631-4106-9753-f3d494733990",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "8dfab9c4-fe7b-49ad-85e4-1e9be085358f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8dfab9c4-fe7b-49ad-85e4-1e9be085358f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2(12)",
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "475aae12-b88a-4572-8b36-9b712b2b3a17",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0049a6b3-a662-4f3e-8635-39cf44ace45a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0049a6b3-a662-4f3e-8635-39cf44ace45a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "f9d614c5-c173-4d56-95a7-b4437057d193",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7595c971-233d-4bcf-bd18-596129188c49",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c3d20c29-b36d-48fe-808b-99a87530ad99",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2(12)",
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_IR-4",
          "NIST_SP_800-53_R5_IR-5",
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "2f2ee1de-44aa-4762-b6bd-0893fc3f306d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "399b2637-a50f-4f95-96f8-3a145476eb15",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "bdc59948-5574-49b3-bb91-76b7c986428d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-2(12)",
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_IR-4",
          "NIST_SP_800-53_R5_IR-5",
          "NIST_SP_800-53_R5_RA-5",
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "04c4380f-3fae-46e8-96c9-30193528f602",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6",
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)",
          "NIST_SP_800-53_R5_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "295fc8b1-dc9f-4f53-9c61-3f313ceab40a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "fb74e86f-d351-4b8d-b034-93da7391c01f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb74e86f-d351-4b8d-b034-93da7391c01f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-28",
          "NIST_SP_800-53_R5_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "e8eef0a8-67cf-4eb4-9386-14b0e78733d4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-8",
          "NIST_SP_800-53_R5_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ca610c1d-041c-4332-9d88-7ed3094967c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "d9844e8a-1437-4aeb-a32c-0c992f056095",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "9830b652-8523-49cc-b1b3-e17dce1127ca",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4b90e17e-8448-49db-875e-bd83fb6f804f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "fb893a29-21bb-418c-a157-e99480ec364c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "a1ad735a-e96f-45d2-a7b2-9a4932cab7ec",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "7261b898-8a84-4db8-9e04-18527132abb3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "496223c3-ad65-4ecd-878a-bae78737e9ed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "eaebaea7-8013-4ceb-9d14-7eb32271373c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0c192fe8-9cbb-4516-85b3-0ade8bd03886",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "5f0f936f-2f01-4bf5-b6be-d423792fa562",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "88999f4c-376a-45c8-bcb3-4058f713cf39",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "6edd7eda-6dd8-40f7-810d-67160c639cd9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7008174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7698e800-9299-47a6-b3b6-5a0fee576eed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7238174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "74c3584d-afae-46f7-a20a-6f8adba71a16",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0fda3595-9f2b-4592-8675-4231d6fa82fe",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fda3595-9f2b-4592-8675-4231d6fa82fe",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "cddd188c-4b82-4c48-a19d-ddf74ee66a01",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cddd188c-4b82-4c48-a19d-ddf74ee66a01",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "051cba44-2429-45b9-9649-46cec11c7119",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "8b0323be-cc25-4b61-935d-002c3798c6ea",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b0323be-cc25-4b61-935d-002c3798c6ea",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "f39f5f49-4abf-44de-8c70-0756997bfb51",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f39f5f49-4abf-44de-8c70-0756997bfb51",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "58440f8a-10c5-4151-bdce-dfbaad4a20b7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/58440f8a-10c5-4151-bdce-dfbaad4a20b7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7803067c-7d34-46e3-8c79-0ca68fc4036d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7803067c-7d34-46e3-8c79-0ca68fc4036d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b8564268-eb4a-4337-89be-a19db070c59d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b8564268-eb4a-4337-89be-a19db070c59d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "df39c015-56a4-45de-b4a3-efe77bed320d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df39c015-56a4-45de-b4a3-efe77bed320d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1c06e275-d63d-4540-b761-71f364c2111d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c06e275-d63d-4540-b761-71f364c2111d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1d320205-c6a1-4ac6-873d-46224024e8e2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d320205-c6a1-4ac6-873d-46224024e8e2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AU-6(4)",
          "NIST_SP_800-53_R5_AU-6(5)",
          "NIST_SP_800-53_R5_AU-12",
          "NIST_SP_800-53_R5_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1ee56206-5dd1-42ab-b02d-8aae8b1634ce",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1ee56206-5dd1-42ab-b02d-8aae8b1634ce",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "72d11df1-dd8a-41f7-8925-b05b960ebafc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72d11df1-dd8a-41f7-8925-b05b960ebafc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_AC-4",
          "NIST_SP_800-53_R5_AC-17",
          "NIST_SP_800-53_R5_AC-17(1)",
          "NIST_SP_800-53_R5_SC-7",
          "NIST_SP_800-53_R5_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "bf045164-79ba-4215-8f95-f8048dc1780b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_CP-6",
          "NIST_SP_800-53_R5_CP-6(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "d38fc420-0735-4ef3-ac11-c806f651a570",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_CP-6",
          "NIST_SP_800-53_R5_CP-6(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "991310cd-e9f3-47bc-b7b6-f57b557d07db",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "e2c1c086-2d84-4019-bff3-c44ccd95113c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "8c122334-9d20-4eb8-89ea-ac9a705b74ae",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R5_SI-2",
          "NIST_SP_800-53_R5_SI-2(6)"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "NIST_SP_800-53_R5_AC-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-1"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-2"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-2(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-2(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-2(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-2(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-2(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-2(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-2(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-2(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-2(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-2(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-2(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-2(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-2(11)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-2(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-2(12)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-2(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-2(13)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-3"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-3(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-3(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-3(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-3(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-3(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-3(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-3(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-3(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-3(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-3(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-3(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-3(11)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-3(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-3(12)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-3(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-3(13)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-3(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-3(14)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-3(15)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-3(15)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(11)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(12)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(13)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(14)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(15)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(15)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(17)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(17)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(19)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(19)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(20)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(20)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(21)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(21)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(22)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(22)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(23)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(23)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(24)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(24)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(25)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(25)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(26)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(26)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(27)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(27)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(28)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(28)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(29)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(29)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(30)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(30)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(31)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(31)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-4(32)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-4(32)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-5"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-6"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-6(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-6(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-6(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-6(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-6(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-6(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-6(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-6(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-6(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-6(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-6(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-6(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-6(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-6(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-7"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-7(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-7(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-8"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-9"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-9(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-9(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-10"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-11"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-12"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-12(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-12(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-12(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-12(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-12(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-14"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-16"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-16(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-16(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-16(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-16(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-16(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-16(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-16(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-16(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-16(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-16(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-16(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-16(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-16(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-16(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-16(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-16(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-16(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-16(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-16(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-16(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-17"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-17(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-17(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-17(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-17(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-17(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-17(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-17(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-17(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-17(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-17(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-17(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-17(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-17(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-17(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-18"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-18(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-18(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-18(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-18(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-18(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-18(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-18(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-18(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-19"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-19(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-19(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-19(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-19(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-20"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-20(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-20(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-20(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-20(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-20(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-20(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-20(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-20(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-20(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-20(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-21"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-21(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-21(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-21(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-21(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-22"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-23",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-23"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-24",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-24"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-24(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-24(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-24(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-24(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AC-25",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AC-25"
      },
      {
        "name": "NIST_SP_800-53_R5_AT-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AT-1"
      },
      {
        "name": "NIST_SP_800-53_R5_AT-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AT-2"
      },
      {
        "name": "NIST_SP_800-53_R5_AT-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AT-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AT-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AT-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AT-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AT-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AT-2(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AT-2(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AT-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AT-2(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_AT-2(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AT-2(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_AT-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AT-3"
      },
      {
        "name": "NIST_SP_800-53_R5_AT-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AT-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AT-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AT-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AT-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AT-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AT-3(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AT-3(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_AT-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AT-4"
      },
      {
        "name": "NIST_SP_800-53_R5_AT-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AT-6"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-1"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-2"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-3"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-4"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-5"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-5(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-5(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-5(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-6"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-6(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-6(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-6(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-6(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-6(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-6(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-6(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-6(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-6(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-6(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-6(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-6(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-7"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-8"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-9"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-9(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-9(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-9(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-9(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-9(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-9(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-9(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-9(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-10"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-10(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-10(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-10(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-10(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-10(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-10(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-10(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-10(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-11"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-12"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-12(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-12(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-12(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-12(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-12(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-12(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-12(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-13"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-13(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-13(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-13(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-13(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-13(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-13(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-14"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-14(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-14(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-14(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-14(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-16"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-16(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-16(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-16(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-16(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_AU-16(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_AU-16(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-1"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-2"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-3"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-3(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-3(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-3(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-3(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-5"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-6"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-7"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-7(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-7(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-7(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-7(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-7(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-7(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-8"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-9"
      },
      {
        "name": "NIST_SP_800-53_R5_CA-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CA-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-1"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-2"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-2(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-2(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-2(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-2(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-3"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-3(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-3(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-3(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-3(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-3(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-3(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-3(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-3(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-4"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-5"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-5(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-5(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-5(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-5(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-5(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-6"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-7"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-7(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-7(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-7(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-7(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-7(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-7(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-7(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-7(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-7(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-7(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-7(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-7(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-8"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-8(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-8(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-8(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-8(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-8(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-8(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-8(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-8(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-8(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-8(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-9"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-10"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-10(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-10(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-11"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-11(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-11(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-11(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-11(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-12"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-12(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-13"
      },
      {
        "name": "NIST_SP_800-53_R5_CM-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CM-14"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-1"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-2"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-2(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-2(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-2(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-2(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-2(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-2(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-2(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-3"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-4"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-4(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-6"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-7"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-7(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-7(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-7(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-7(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-8"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-8(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-8(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-8(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-8(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-9"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-9(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-9(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-9(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-9(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-9(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-9(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-9(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-9(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-9(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-10"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-10(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-10(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-10(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-10(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-10(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-10(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-11"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-12"
      },
      {
        "name": "NIST_SP_800-53_R5_CP-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_CP-13"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-1"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-2"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-2(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-2(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-2(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-2(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-2(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-2(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-2(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-2(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-2(12)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-2(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-2(13)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-3"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-4"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-4(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-4(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-4(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-4(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-4(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-4(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-4(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5(12)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5(13)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5(14)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5(15)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5(15)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5(16)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5(16)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5(17)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5(17)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-5(18)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-5(18)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-6"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-7"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-8"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-8(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-8(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-8(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-8(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-8(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-8(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-9"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-10"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-11"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-12"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-12(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-12(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-12(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-12(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-12(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-12(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-12(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-12(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-12(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_IA-12(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IA-12(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-1"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-2"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-3"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4(11)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4(12)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4(13)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4(14)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-4(15)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-4(15)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-5"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-6"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-7"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-8"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-9"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-9(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_IR-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_IR-9(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-1"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-2"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-3"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-3(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-3(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-3(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-3(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-4"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-4(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-4(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-4(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-4(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-4(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-5"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-5(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-5(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-5(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-6"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_MA-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MA-7"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-1"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-2"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-3"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-4"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-5"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-6"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-6(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-6(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-6(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-6(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-7"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-8"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_MP-8(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_MP-8(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-1"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-2"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-3"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-3(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-3(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-3(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-3(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-3(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-3(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-4"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-5"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-6"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-6(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-6(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-8"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-9"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-10"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-11"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-11(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-11(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-12"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-12(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-13"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-13(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-13(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-13(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-13(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-13(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-13(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-14"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-14(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-14(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-14(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-14(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-15"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-15(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-15(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-16"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-17"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-18"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-19"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-19(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-19(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-20"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-21"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-22"
      },
      {
        "name": "NIST_SP_800-53_R5_PE-23",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PE-23"
      },
      {
        "name": "NIST_SP_800-53_R5_PL-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PL-1"
      },
      {
        "name": "NIST_SP_800-53_R5_PL-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PL-2"
      },
      {
        "name": "NIST_SP_800-53_R5_PL-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PL-4"
      },
      {
        "name": "NIST_SP_800-53_R5_PL-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PL-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PL-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PL-7"
      },
      {
        "name": "NIST_SP_800-53_R5_PL-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PL-8"
      },
      {
        "name": "NIST_SP_800-53_R5_PL-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PL-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PL-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PL-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PL-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PL-9"
      },
      {
        "name": "NIST_SP_800-53_R5_PL-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PL-10"
      },
      {
        "name": "NIST_SP_800-53_R5_PL-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PL-11"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-1"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-2"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-3"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-4"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-5"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-6"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-7"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-8"
      },
      {
        "name": "NIST_SP_800-53_R5_PS-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PS-9"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-1"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-2"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-3"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-4"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-5"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-6"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-7"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_PT-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_PT-8"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-1"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-2"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-3"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-5"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-5(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-5(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-5(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-5(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-5(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-5(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-5(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-5(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-5(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-5(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-5(11)"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-6"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-7"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-8"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-9"
      },
      {
        "name": "NIST_SP_800-53_R5_RA-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_RA-10"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-1"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-2"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-3"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-4"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-4(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-4(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-4(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-4(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-4(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-4(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-4(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-4(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-4(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-4(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-4(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-4(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-4(11)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-4(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-4(12)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-5"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(11)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(12)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(13)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(14)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(15)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(15)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(16)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(16)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(17)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(17)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(18)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(18)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(19)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(19)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(20)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(20)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(21)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(21)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(22)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(22)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(23)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(23)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(24)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(24)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(25)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(25)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(26)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(26)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(27)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(27)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(28)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(28)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(29)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(29)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(30)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(30)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(31)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(31)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(32)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(32)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-8(33)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-8(33)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-9"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-9(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-9(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-9(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-9(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-9(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-9(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-9(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-9(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-9(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-9(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-10"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-10(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-10(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-10(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-10(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-10(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-10(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-10(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-10(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-10(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-10(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-10(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-10(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-10(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-10(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-11"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-11(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-11(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-11(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-11(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-11(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-11(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-11(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-11(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-11(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-11(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-11(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-11(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-11(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-11(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-11(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-11(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-15"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-15(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-15(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-15(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-15(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-15(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-15(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-15(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-15(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-15(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-15(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-15(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-15(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-15(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-15(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-15(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-15(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-15(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-15(11)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-15(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-15(12)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-16"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-17"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-17(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-17(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-17(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-17(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-17(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-17(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-17(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-17(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-17(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-17(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-17(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-17(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-17(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-17(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-17(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-17(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-17(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-17(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-20"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-21"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-22"
      },
      {
        "name": "NIST_SP_800-53_R5_SA-23",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SA-23"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-1"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-2"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-3"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-3(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-3(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-4"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-5"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-6"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(11)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(12)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(13)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(14)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(15)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(15)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(16)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(16)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(17)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(17)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(18)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(18)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(19)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(19)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(20)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(20)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(21)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(21)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(22)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(22)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(23)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(23)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(24)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(24)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(25)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(25)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(26)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(26)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(27)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(27)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(28)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(28)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-7(29)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-7(29)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-8"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-8(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-8(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-8(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-8(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-10"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-11"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-12"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-12(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-12(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-12(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-12(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-12(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-12(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-12(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-13"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-15"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-15(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-15(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-15(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-15(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-15(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-15(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-16"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-16(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-16(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-16(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-16(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-16(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-16(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-17"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-18"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-18(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-18(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-18(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-18(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-18(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-18(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-18(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-18(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-18(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-18(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-20"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-20(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-20(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-21"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-22"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-23",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-23"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-23(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-23(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-23(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-23(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-23(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-23(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-24",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-24"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-25",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-25"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-26",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-26"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-27",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-27"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-28",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-28"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-28(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-28(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-28(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-28(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-28(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-28(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-29",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-29"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-29(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-29(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-30",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-30"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-30(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-30(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-30(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-30(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-30(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-30(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-30(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-30(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-31",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-31"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-31(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-31(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-31(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-31(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-31(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-31(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-32",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-32"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-32(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-32(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-34",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-34"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-34(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-34(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-34(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-34(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-35",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-35"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-36",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-36"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-36(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-36(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-36(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-36(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-37",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-37"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-37(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-37(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-38",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-38"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-39",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-39"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-39(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-39(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-39(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-39(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-40",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-40"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-40(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-40(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-40(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-40(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-40(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-40(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-40(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-40(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-41",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-41"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-42",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-42"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-42(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-42(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-42(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-42(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-42(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-42(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-42(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-42(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-43",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-43"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-44",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-44"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-45",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-45"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-45(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-45(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-45(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-45(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-46",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-46"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-47",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-47"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-48",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-48"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-48(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-48(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-49",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-49"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-50",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-50"
      },
      {
        "name": "NIST_SP_800-53_R5_SC-51",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SC-51"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-1"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-2"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-2(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-2(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-2(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-2(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-2(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-3"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-3(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-3(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-3(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-3(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-3(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-3(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(11)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(12)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(13)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(14)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(15)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(15)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(16)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(16)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(17)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(17)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(18)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(18)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(19)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(19)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(20)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(20)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(21)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(21)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(22)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(22)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(23)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(23)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(24)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(24)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-4(25)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-4(25)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-5"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-6"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-7"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-7(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-7(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-7(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-7(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-7(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-7(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-7(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-7(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-7(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-7(9)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-7(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-7(10)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-7(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-7(12)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-7(15)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-7(15)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-7(16)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-7(16)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-7(17)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-7(17)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-8"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-10"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-10(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-10(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-10(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-10(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-10(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-10(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-10(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-10(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-10(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-10(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-10(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-10(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-11"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-12"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-12(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-12(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-12(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-12(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-12(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-13"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-13(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-13(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-13(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-13(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-13(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-13(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-13(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-13(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-14"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-14(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-14(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-14(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-14(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-14(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-14(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-15"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-16"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-17"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-18"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-18(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-18(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-18(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-18(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-18(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-18(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-18(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-18(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-18(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-18(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-19"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-19(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-19(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-19(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-19(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-19(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-19(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-19(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-19(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-19(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-19(5)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-19(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-19(6)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-19(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-19(7)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-19(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-19(8)"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-20"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-21"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-22"
      },
      {
        "name": "NIST_SP_800-53_R5_SI-23",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SI-23"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-1"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-2"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-3"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-4"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-5"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-6"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-7"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-8"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-9"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-10"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-11"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-11(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-11(2)"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-11(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-11(3)"
      },
      {
        "name": "NIST_SP_800-53_R5_SR-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R5_SR-12"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "179d1daa-458f-4e47-8086-2a68d0d6c38f"
}
BuiltIn Regulatory Compliance False True n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Preview]: SWIFT CSP-CSCF v2020",
    "policyType": "BuiltIn",
    "description": "This initiative includes audit and virtual machine extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift-blueprint.",
    "metadata": {
      "version": "3.0.1-preview",
      "category": "Regulatory Compliance",
      "preview": true
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers for Guest Configuration policies",
          "description": "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "listOfResourceTypesWithDiagnosticLogsEnabled": {
        "type": "Array",
        "metadata": {
          "displayName": "List of resource types that should have resource logs enabled"
        },
        "allowedValues": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ],
        "defaultValue": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ]
      },
      "workspaceIDsLogAnalyticsAgentShouldConnectTo": {
        "type": "String",
        "metadata": {
          "displayName": "Connected workspace IDs",
          "description": "A semicolon-separated list of the workspace IDs that the Log Analytics agent should be connected to"
        }
      },
      "listOfMembersToIncludeInWindowsVMAdministratorsGroup": {
        "type": "String",
        "metadata": {
          "displayName": "Members to include",
          "description": "A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      },
      "domainNameFQDN": {
        "type": "String",
        "metadata": {
          "displayName": "Domain Name (FQDN)",
          "description": "The fully qualified domain name (FQDN) that the Windows VMs should be joined to"
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "MfaShouldBeEnabledOnAccountsWithOwnerPermissionsOnYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "MfaShouldBeEnabledOnAccountsWithReadPermissionsOnYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "MfaShouldBeEnabledAccountsWithWritePermissionsOnYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "SystemUpdatesOnVirtualMachineScaleSetsShouldBeInstalled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "DeprecatedAccountsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "DeprecatedAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ExternalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ExternalAccountsWithReadPermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ExternalAccountsWithWritePermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "FunctionAppShouldOnlyBeAccessibleOverHttps",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "WebApplicationShouldOnlyBeAccessibleOverHttps",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ApiAppShouldOnlyBeAccessibleOverHttps",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "AMaximumOf3OwnersShouldBeDesignatedForYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ThereShouldBeMoreThanOneOwnerAssignedToYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "VulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "RemoteDebuggingShouldBeTurnedOffForFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "RemoteDebuggingShouldBeTurnedOffForWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "RemoteDebuggingShouldBeTurnedOffForApiApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "DDoSProtectionStandardShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVMsThatHaveAccountsWithoutPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ceb8dc2-559c-478b-a15b-733fbf1e3738",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237b38db-ca4d-4259-9e47-7882441ca2c0",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da0f98fe-a24b-4ad5-af69-bd0400233661",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "EndpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "MonitorMissingEndpointProtectionInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "SystemUpdatesShouldBeInstalledOnYourMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "VulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "AdaptiveApplicationControlsShouldBeEnabledOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "JustInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "VulnerabilitiesOnYourSqlDatabasesShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "AccessThroughInternetFacingEndpointShouldBeRestricted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "OnlySecureConnectionsToYourRedisCacheShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "AnAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "SecureTransferToStorageAccountsShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "AdvancedDataSecurityShouldBeEnabledOnYourSqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "AuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "TransparentDataEncryptionOnSqlDatabasesShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "AuditUnrestrictedNetworkAccessToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "ServiceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "AuditUsageOfCustomRbacRules",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "AuditVMsThatDoNotUseManagedDisks",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "VirtualMachineShouldBeMigratedToNewAzureResourceManagerResources",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "AutomationAccountVariablesShouldBeEncrypted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "StorageAccountsShouldBeMigratedToNewAzureResourceManagerResources",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "DiagnosticLogsInAzureStreamAnalyticsShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsOnWhichTheLogAnalyticsAgentIsNotConnectedAsExpected",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6265018c-d7e2-432f-a75d-094d5f6f4465",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "WorkspaceId": {
            "value": "[parameters('workspaceIDsLogAnalyticsAgentShouldConnectTo')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "NetworkSecurityGroupRulesForInternetFacingVirtualMachinesShouldBeHardened",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditDependencyAgentDeploymentInVmssVmImageOsUnlisted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "AuditSqlServerLevelAuditingSettings",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "AdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MembersToInclude": {
            "value": "[parameters('listOfMembersToIncludeInWindowsVMAdministratorsGroup')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AuditWindowsVMsThatAreNotJoinedToTheSpecifiedDomain",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/84662df4-0e37-44a6-9ce1-c9d2150db18c",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "DomainName": {
            "value": "[parameters('domainNameFQDN')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AuditDiagnosticSetting",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
        "parameters": {
          "listOfResourceTypes": {
            "value": "[parameters('listOfResourceTypesWithDiagnosticLogsEnabled')]"
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "3e0c67fc-8c7c-406c-89bd-6b6bdc986a22"
}
BuiltIn Regulatory Compliance False True n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "[Preview]: Windows machines should meet requirements for the Azure compute security baseline",
    "policyType": "BuiltIn",
    "description": "This initiative audits Windows machines with settings that do not meet the Azure compute security baseline. For details, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "2.0.1-preview",
      "category": "Guest Configuration",
      "preview": true
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "EnableInsecureGuestLogons": {
        "type": "String",
        "metadata": {
          "displayName": "Enable insecure guest logons",
          "description": "Specifies whether the SMB client will allow insecure guest logons to an SMB server."
        },
        "defaultValue": "0"
      },
      "AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain": {
        "type": "String",
        "metadata": {
          "displayName": "Allow simultaneous connections to the Internet or a Windows Domain",
          "description": "Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous connections, and a value of 1 blocks them."
        },
        "defaultValue": "1"
      },
      "TurnOffMulticastNameResolution": {
        "type": "String",
        "metadata": {
          "displayName": "Turn off multicast name resolution",
          "description": "Specifies whether LLMNR, a secondary name resolution protocol that transmits using multicast over a local subnet link on a single subnet, is enabled."
        },
        "defaultValue": "1"
      },
      "AlwaysUseClassicLogon": {
        "type": "String",
        "metadata": {
          "displayName": "Always use classic logon",
          "description": "Specifies whether to force the user to log on to the computer using the classic logon screen. This setting only works when the computer is not on a domain."
        },
        "defaultValue": "0"
      },
      "BootStartDriverInitializationPolicy": {
        "type": "String",
        "metadata": {
          "displayName": "Boot-Start Driver Initialization Policy",
          "description": "Specifies which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver."
        },
        "defaultValue": "3"
      },
      "EnableWindowsNTPClient": {
        "type": "String",
        "metadata": {
          "displayName": "Enable Windows NTP Client",
          "description": "Specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers."
        },
        "defaultValue": "1"
      },
      "TurnOnConveniencePINSignin": {
        "type": "String",
        "metadata": {
          "displayName": "Turn on convenience PIN sign-in",
          "description": "Specifies whether a domain user can sign in using a convenience PIN."
        },
        "defaultValue": "0"
      },
      "AccountsGuestAccountStatus": {
        "type": "String",
        "metadata": {
          "displayName": "Accounts: Guest account status",
          "description": "Specifies whether the local Guest account is disabled."
        },
        "defaultValue": "0"
      },
      "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": {
        "type": "String",
        "metadata": {
          "displayName": "Audit: Shut down system immediately if unable to log security audits",
          "description": "Audits if the system will shut down when unable to log Security events."
        },
        "defaultValue": "0"
      },
      "DevicesAllowedToFormatAndEjectRemovableMedia": {
        "type": "String",
        "metadata": {
          "displayName": "Devices: Allowed to format and eject removable media",
          "description": "Specifies who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges."
        },
        "defaultValue": "0"
      },
      "MicrosoftNetworkClientDigitallySignCommunicationsAlways": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network client: Digitally sign communications (always)",
          "description": "Specifies whether packet signing is required by the SMB client component."
        },
        "defaultValue": "1"
      },
      "MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network client: Send unencrypted password to third-party SMB servers",
          "description": "Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it."
        },
        "defaultValue": "0"
      },
      "MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Amount of idle time required before suspending session",
          "description": "Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is two integers separated by a comma, denoting an inclusive range."
        },
        "defaultValue": "1,15"
      },
      "MicrosoftNetworkServerDigitallySignCommunicationsAlways": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Digitally sign communications (always)",
          "description": "Specifies whether packet signing is required by the SMB server component."
        },
        "defaultValue": "1"
      },
      "MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Disconnect clients when logon hours expire",
          "description": "Specifies whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable 'Network security: Force logoff when logon hours expire'"
        },
        "defaultValue": "1"
      },
      "NetworkAccessRemotelyAccessibleRegistryPaths": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Remotely accessible registry paths",
          "description": "Specifies which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"
      },
      "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Remotely accessible registry paths and sub-paths",
          "description": "Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"
      },
      "NetworkAccessSharesThatCanBeAccessedAnonymously": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Shares that can be accessed anonymously",
          "description": "Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server."
        },
        "defaultValue": "0"
      },
      "NetworkSecurityConfigureEncryptionTypesAllowedForKerberos": {
        "type": "String",
        "metadata": {
          "displayName": "Network Security: Configure encryption types allowed for Kerberos",
          "description": "Specifies the encryption types that Kerberos is allowed to use."
        },
        "defaultValue": "2147483644"
      },
      "NetworkSecurityLANManagerAuthenticationLevel": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: LAN Manager authentication level",
          "description": "Specify which challenge-response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers."
        },
        "defaultValue": "5"
      },
      "NetworkSecurityLDAPClientSigningRequirements": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: LDAP client signing requirements",
          "description": "Specify the level of data signing that is requested on behalf of clients that issue LDAP BIND requests."
        },
        "defaultValue": "1"
      },
      "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",
          "description": "Specifies which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers for more information."
        },
        "defaultValue": "537395200"
      },
      "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers": {
        "type": "String",
        "metadata": {
          "displayName": "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",
          "description": "Specifies which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services."
        },
        "defaultValue": "537395200"
      },
      "RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": {
        "type": "String",
        "metadata": {
          "displayName": "Recovery console: Allow floppy copy and access to all drives and all folders",
          "description": "Specifies whether to make the Recovery Console SET command available, which allows setting of recovery console environment variables."
        },
        "defaultValue": "0"
      },
      "ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn": {
        "type": "String",
        "metadata": {
          "displayName": "Shutdown: Allow system to be shut down without having to log on",
          "description": "Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen."
        },
        "defaultValue": "0"
      },
      "ShutdownClearVirtualMemoryPagefile": {
        "type": "String",
        "metadata": {
          "displayName": "Shutdown: Clear virtual memory pagefile",
          "description": "Specifies whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properly. For systems with large amounts of RAM, this could result in substantial time needed to complete the shutdown."
        },
        "defaultValue": "0"
      },
      "SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies": {
        "type": "String",
        "metadata": {
          "displayName": "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies",
          "description": "Specifies whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). For certificate rules to take effect in software restriction policies, you must enable this policy setting."
        },
        "defaultValue": "1"
      },
      "UACAdminApprovalModeForTheBuiltinAdministratorAccount": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Admin Approval Mode for the Built-in Administrator account",
          "description": "Specifies the behavior of Admin Approval Mode for the built-in Administrator account."
        },
        "defaultValue": "1"
      },
      "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode",
          "description": "Specifies the behavior of the elevation prompt for administrators."
        },
        "defaultValue": "2"
      },
      "UACDetectApplicationInstallationsAndPromptForElevation": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Detect application installations and prompt for elevation",
          "description": "Specifies the behavior of application installation detection for the computer."
        },
        "defaultValue": "1"
      },
      "UACRunAllAdministratorsInAdminApprovalMode": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Run all administrators in Admin Approval Mode",
          "description": "Specifies the behavior of all User Account Control (UAC) policy settings for the computer."
        },
        "defaultValue": "1"
      },
      "EnforcePasswordHistory": {
        "type": "String",
        "metadata": {
          "displayName": "Enforce password history",
          "description": "Specifies limits on password reuse - how many times a new password must be created for a user account before the password can be repeated."
        },
        "defaultValue": "24"
      },
      "MaximumPasswordAge": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum password age",
          "description": "Specifies the maximum number of days that may elapse before a user account password must be changed. The format of the value is two integers separated by a comma, denoting an inclusive range."
        },
        "defaultValue": "1,70"
      },
      "MinimumPasswordAge": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password age",
          "description": "Specifies the minimum number of days that must elapse before a user account password can be changed."
        },
        "defaultValue": "1"
      },
      "MinimumPasswordLength": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password length",
          "description": "Specifies the minimum number of characters that a user account password may contain."
        },
        "defaultValue": "14"
      },
      "PasswordMustMeetComplexityRequirements": {
        "type": "String",
        "metadata": {
          "displayName": "Password must meet complexity requirements",
          "description": "Specifies whether a user account password must be complex. If required, a complex password must not contain part of  user's account name or full name; be at least 6 characters long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."
        },
        "defaultValue": "1"
      },
      "AuditCredentialValidation": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Credential Validation",
          "description": "Specifies whether audit events are generated when credentials are submitted for a user account logon request.  This setting is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success and Failure"
      },
      "AuditProcessTermination": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Process Termination",
          "description": "Specifies whether audit events are generated when a process has exited. Recommended for monitoring termination of critical processes."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditGroupMembership": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Group Membership",
          "description": "Specifies whether audit events are generated when group memberships are enumerated on the client computer."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success"
      },
      "AuditDetailedFileShare": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Detailed File Share",
          "description": "If this policy setting is enabled, access to all shared files and folders on the system is audited. Auditing for Success can lead to very high volumes of events."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditFileShare": {
        "type": "String",
        "metadata": {
          "displayName": "Audit File Share",
          "description": "Specifies whether to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks. Event volumes can be high on DCs and File Servers."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditFileSystem": {
        "type": "String",
        "metadata": {
          "displayName": "Audit File System",
          "description": "Specifies whether audit events are generated when users attempt to access file system objects. Audit events are generated only for objects that have configured system access control lists (SACLs)."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditAuthenticationPolicyChange": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Authentication Policy Change",
          "description": "Specifies whether audit events are generated when changes are made to authentication policy. This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success"
      },
      "AuditAuthorizationPolicyChange": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Authorization Policy Change",
          "description": "Specifies whether audit events are generated for assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditOtherSystemEvents": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Other System Events",
          "description": "Specifies whether audit events are generated for Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "UsersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may access this computer from the network",
          "description": "Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."
        },
        "defaultValue": "Administrators, Authenticated Users"
      },
      "UsersOrGroupsThatMayLogOnLocally": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may log on locally",
          "description": "Specifies which users or groups can interactively log on to the computer. Users who attempt to log on via Remote Desktop Connection or IIS also require this user right."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may log on through Remote Desktop Services",
          "description": "Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."
        },
        "defaultValue": "Administrators, Remote Desktop Users"
      },
      "UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied access to this computer from the network",
          "description": "Specifies which users or groups are explicitly prohibited from connecting to the computer across the network."
        },
        "defaultValue": "Guests"
      },
      "UsersOrGroupsThatMayManageAuditingAndSecurityLog": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may manage auditing and security log",
          "description": "Specifies users and groups permitted to change the auditing options for files and directories and clear the Security log."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayBackUpFilesAndDirectories": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may back up files and directories",
          "description": "Specifies users and groups allowed to circumvent file and directory permissions to back up the system."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "UsersOrGroupsThatMayChangeTheSystemTime": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may change the system time",
          "description": "Specifies which users and groups are permitted to change the time and date on the internal clock of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "UsersOrGroupsThatMayChangeTheTimeZone": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may change the time zone",
          "description": "Specifies which users and groups are permitted to change the time zone of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "UsersOrGroupsThatMayCreateATokenObject": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may create a token object",
          "description": "Specifies which users and groups are permitted to create an access token, which may provide elevated rights to access sensitive data."
        },
        "defaultValue": "No One"
      },
      "UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied logging on as a batch job",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer as a batch job (i.e. scheduled task)."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLoggingOnAsAService": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied logging on as a service",
          "description": "Specifies which service accounts are explicitly not permitted to register a process as a service."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLocalLogon": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied local logon",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied log on through Remote Desktop Services",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer via Terminal Services/Remote Desktop Client."
        },
        "defaultValue": "Guests"
      },
      "UserAndGroupsThatMayForceShutdownFromARemoteSystem": {
        "type": "String",
        "metadata": {
          "displayName": "User and groups that may force shutdown from a remote system",
          "description": "Specifies which users and groups are permitted to shut down the computer from a remote location on the network."
        },
        "defaultValue": "Administrators"
      },
      "UsersAndGroupsThatMayRestoreFilesAndDirectories": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that may restore files and directories",
          "description": "Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "UsersAndGroupsThatMayShutDownTheSystem": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that may shut down the system",
          "description": "Specifies which users and groups who are logged on locally to the computers in your environment are permitted to shut down the operating system with the Shut Down command."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may take ownership of files or other objects",
          "description": "Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user."
        },
        "defaultValue": "Administrators"
      },
      "SendFileSamplesWhenFurtherAnalysisIsRequired": {
        "type": "String",
        "metadata": {
          "displayName": "Send file samples when further analysis is required",
          "description": "Specifies whether and how Windows Defender will submit samples of suspected malware  to Microsoft for further analysis when opt-in for MAPS telemetry is set."
        },
        "defaultValue": "1"
      },
      "AllowIndexingOfEncryptedFiles": {
        "type": "String",
        "metadata": {
          "displayName": "Allow indexing of encrypted files",
          "description": "Specifies whether encrypted items are allowed to be indexed."
        },
        "defaultValue": "0"
      },
      "AllowTelemetry": {
        "type": "String",
        "metadata": {
          "displayName": "Allow Telemetry",
          "description": "Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and sensitive data is not sent."
        },
        "defaultValue": "2"
      },
      "AllowUnencryptedTraffic": {
        "type": "String",
        "metadata": {
          "displayName": "Allow unencrypted traffic",
          "description": "Specifies whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network."
        },
        "defaultValue": "0"
      },
      "AlwaysInstallWithElevatedPrivileges": {
        "type": "String",
        "metadata": {
          "displayName": "Always install with elevated privileges",
          "description": "Specifies whether Windows Installer should use system permissions when it installs any program on the system."
        },
        "defaultValue": "0"
      },
      "AlwaysPromptForPasswordUponConnection": {
        "type": "String",
        "metadata": {
          "displayName": "Always prompt for password upon connection",
          "description": "Specifies whether Terminal Services/Remote Desktop Connection always prompts the client computer for a password upon connection."
        },
        "defaultValue": "1"
      },
      "ApplicationSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "Application: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Application event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "AutomaticallySendMemoryDumpsForOSgeneratedErrorReports": {
        "type": "String",
        "metadata": {
          "displayName": "Automatically send memory dumps for OS-generated error reports",
          "description": "Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft automatically."
        },
        "defaultValue": "1"
      },
      "ConfigureDefaultConsent": {
        "type": "String",
        "metadata": {
          "displayName": "Configure Default consent",
          "description": "Specifies setting of the default consent handling for error reports sent to Microsoft."
        },
        "defaultValue": "4"
      },
      "ConfigureWindowsSmartScreen": {
        "type": "String",
        "metadata": {
          "displayName": "Configure Windows SmartScreen",
          "description": "Specifies how to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled."
        },
        "defaultValue": "1"
      },
      "DisallowDigestAuthentication": {
        "type": "String",
        "metadata": {
          "displayName": "Disallow Digest authentication",
          "description": "Specifies whether the Windows Remote Management (WinRM) client will not use Digest authentication."
        },
        "defaultValue": "0"
      },
      "DisallowWinRMFromStoringRunAsCredentials": {
        "type": "String",
        "metadata": {
          "displayName": "Disallow WinRM from storing RunAs credentials",
          "description": "Specifies whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins."
        },
        "defaultValue": "1"
      },
      "DoNotAllowPasswordsToBeSaved": {
        "type": "String",
        "metadata": {
          "displayName": "Do not allow passwords to be saved",
          "description": "Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords on a computer."
        },
        "defaultValue": "1"
      },
      "SecuritySpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "Security: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Security event log in kilobytes."
        },
        "defaultValue": "196608"
      },
      "SetClientConnectionEncryptionLevel": {
        "type": "String",
        "metadata": {
          "displayName": "Set client connection encryption level",
          "description": "Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption."
        },
        "defaultValue": "3"
      },
      "SetTheDefaultBehaviorForAutoRun": {
        "type": "String",
        "metadata": {
          "displayName": "Set the default behavior for AutoRun",
          "description": "Specifies the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines."
        },
        "defaultValue": "1"
      },
      "SetupSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "Setup: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Setup event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "SystemSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "System: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the System event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "TurnOffDataExecutionPreventionForExplorer": {
        "type": "String",
        "metadata": {
          "displayName": "Turn off Data Execution Prevention for Explorer",
          "description": "Specifies whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer."
        },
        "defaultValue": "0"
      },
      "SpecifyTheIntervalToCheckForDefinitionUpdates": {
        "type": "String",
        "metadata": {
          "displayName": "Specify the interval to check for definition updates",
          "description": "Specifies an interval at which to check for Windows Defender definition updates. The time value is represented as the number of hours between update checks."
        },
        "defaultValue": "8"
      },
      "WindowsFirewallDomainUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Domain profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallDomainApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Private profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Public profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Domain: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Domain profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Private: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Private profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Public: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Public profile."
        },
        "defaultValue": "1"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_AdministrativeTemplatesControlPanel",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3aa2661b-02d7-4ba6-99bc-dc36b10489fd",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_AdministrativeTemplatesNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67e010c1-640d-438e-a3a5-feaccb533a98",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "EnableInsecureGuestLogons": {
            "value": "[parameters('EnableInsecureGuestLogons')]"
          },
          "AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain": {
            "value": "[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]"
          },
          "TurnOffMulticastNameResolution": {
            "value": "[parameters('TurnOffMulticastNameResolution')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_AdministrativeTemplatesSystem",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/968410dc-5ca0-4518-8a5b-7b55f0530ea9",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "AlwaysUseClassicLogon": {
            "value": "[parameters('AlwaysUseClassicLogon')]"
          },
          "BootStartDriverInitializationPolicy": {
            "value": "[parameters('BootStartDriverInitializationPolicy')]"
          },
          "EnableWindowsNTPClient": {
            "value": "[parameters('EnableWindowsNTPClient')]"
          },
          "TurnOnConveniencePINSignin": {
            "value": "[parameters('TurnOnConveniencePINSignin')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_AdminstrativeTemplatesMSSLegacy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e0a7e899-2ce2-4253-8a13-d808fdeb75af",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee984370-154a-4ee8-9726-19d900e56fc0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "AccountsGuestAccountStatus": {
            "value": "[parameters('AccountsGuestAccountStatus')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsAudit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/33936777-f2ac-45aa-82ec-07958ec9ade4",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": {
            "value": "[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsDevices",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8794ff4f-1a35-4e18-938f-0b22055067cd",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "DevicesAllowedToFormatAndEjectRemovableMedia": {
            "value": "[parameters('DevicesAllowedToFormatAndEjectRemovableMedia')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsInteractiveLogon",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d472d2c9-d6a3-4500-9f5f-b15f123005aa",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsMicrosoftNetworkClient",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6c69680-54f0-4349-af10-94dd05f4225e",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MicrosoftNetworkClientDigitallySignCommunicationsAlways": {
            "value": "[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]"
          },
          "MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": {
            "value": "[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]"
          },
          "MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": {
            "value": "[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]"
          },
          "MicrosoftNetworkServerDigitallySignCommunicationsAlways": {
            "value": "[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]"
          },
          "MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire": {
            "value": "[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsMicrosoftNetworkServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/caf2d518-f029-4f6b-833b-d7081702f253",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsNetworkAccess",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "NetworkAccessRemotelyAccessibleRegistryPaths": {
            "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]"
          },
          "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
            "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]"
          },
          "NetworkAccessSharesThatCanBeAccessedAnonymously": {
            "value": "[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsNetworkSecurity",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1221c620-d201-468c-81e7-2817e6107e84",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "NetworkSecurityConfigureEncryptionTypesAllowedForKerberos": {
            "value": "[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos')]"
          },
          "NetworkSecurityLANManagerAuthenticationLevel": {
            "value": "[parameters('NetworkSecurityLANManagerAuthenticationLevel')]"
          },
          "NetworkSecurityLDAPClientSigningRequirements": {
            "value": "[parameters('NetworkSecurityLDAPClientSigningRequirements')]"
          },
          "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients": {
            "value": "[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients')]"
          },
          "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers": {
            "value": "[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsRecoveryconsole",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f71be03e-e25b-4d0f-b8bc-9b3e309b66c0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": {
            "value": "[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsShutdown",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a4d1eb-0263-441b-84cb-a44073d8372d",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn": {
            "value": "[parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn')]"
          },
          "ShutdownClearVirtualMemoryPagefile": {
            "value": "[parameters('ShutdownClearVirtualMemoryPagefile')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsSystemobjects",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2f262ace-812a-4fd0-b731-b38ba9e9708d",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsSystemsettings",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12017595-5a75-4bb1-9d97-4c2c939ea3c3",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies": {
            "value": "[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsUserAccountControl",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/492a29ed-d143-4f03-b6a4-705ce081b463",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "UACAdminApprovalModeForTheBuiltinAdministratorAccount": {
            "value": "[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount')]"
          },
          "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": {
            "value": "[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]"
          },
          "UACDetectApplicationInstallationsAndPromptForElevation": {
            "value": "[parameters('UACDetectApplicationInstallationsAndPromptForElevation')]"
          },
          "UACRunAllAdministratorsInAdminApprovalMode": {
            "value": "[parameters('UACRunAllAdministratorsInAdminApprovalMode')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecuritySettingsAccountPolicies",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f2143251-70de-4e81-87a8-36cee5a2f29d",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "EnforcePasswordHistory": {
            "value": "[parameters('EnforcePasswordHistory')]"
          },
          "MaximumPasswordAge": {
            "value": "[parameters('MaximumPasswordAge')]"
          },
          "MinimumPasswordAge": {
            "value": "[parameters('MinimumPasswordAge')]"
          },
          "MinimumPasswordLength": {
            "value": "[parameters('MinimumPasswordLength')]"
          },
          "PasswordMustMeetComplexityRequirements": {
            "value": "[parameters('PasswordMustMeetComplexityRequirements')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesAccountLogon",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43bb60fe-1d7e-4b82-9e93-496bfc99e7d5",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditCredentialValidation": {
            "value": "[parameters('AuditCredentialValidation')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesAccountManagement",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94d9aca8-3757-46df-aa51-f218c5f11954",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesDetailedTracking",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/58383b73-94a9-4414-b382-4146eb02611b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditProcessTermination": {
            "value": "[parameters('AuditProcessTermination')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesLogonLogoff",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19be9779-c776-4dfa-8a15-a2fd5dc843d6",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditGroupMembership": {
            "value": "[parameters('AuditGroupMembership')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesObjectAccess",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35781875-8026-4628-b19b-f6efb4d88a1d",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditDetailedFileShare": {
            "value": "[parameters('AuditDetailedFileShare')]"
          },
          "AuditFileShare": {
            "value": "[parameters('AuditFileShare')]"
          },
          "AuditFileSystem": {
            "value": "[parameters('AuditFileSystem')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesPolicyChange",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a7a701e-dff3-4da9-9ec5-42cb98594c0b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditAuthenticationPolicyChange": {
            "value": "[parameters('AuditAuthenticationPolicyChange')]"
          },
          "AuditAuthorizationPolicyChange": {
            "value": "[parameters('AuditAuthorizationPolicyChange')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesPrivilegeUse",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87845465-c458-45f3-af66-dcd62176f397",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesSystem",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8316fa92-d69c-4810-8124-62414f560dcf",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditOtherSystemEvents": {
            "value": "[parameters('AuditOtherSystemEvents')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_UserRightsAssignment",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e068b215-0026-4354-b347-8fb2766f73a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "UsersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
            "value": "[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]"
          },
          "UsersOrGroupsThatMayLogOnLocally": {
            "value": "[parameters('UsersOrGroupsThatMayLogOnLocally')]"
          },
          "UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
            "value": "[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]"
          },
          "UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]"
          },
          "UsersOrGroupsThatMayManageAuditingAndSecurityLog": {
            "value": "[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]"
          },
          "UsersOrGroupsThatMayBackUpFilesAndDirectories": {
            "value": "[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]"
          },
          "UsersOrGroupsThatMayChangeTheSystemTime": {
            "value": "[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]"
          },
          "UsersOrGroupsThatMayChangeTheTimeZone": {
            "value": "[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]"
          },
          "UsersOrGroupsThatMayCreateATokenObject": {
            "value": "[parameters('UsersOrGroupsThatMayCreateATokenObject')]"
          },
          "UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]"
          },
          "UsersAndGroupsThatAreDeniedLoggingOnAsAService": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]"
          },
          "UsersAndGroupsThatAreDeniedLocalLogon": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]"
          },
          "UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
            "value": "[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]"
          },
          "UserAndGroupsThatMayForceShutdownFromARemoteSystem": {
            "value": "[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]"
          },
          "UsersAndGroupsThatMayRestoreFilesAndDirectories": {
            "value": "[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]"
          },
          "UsersAndGroupsThatMayShutDownTheSystem": {
            "value": "[parameters('UsersAndGroupsThatMayShutDownTheSystem')]"
          },
          "UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
            "value": "[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_WindowsComponents",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8537fe96-8cbe-43de-b0ef-131bc72bc22a",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "SendFileSamplesWhenFurtherAnalysisIsRequired": {
            "value": "[parameters('SendFileSamplesWhenFurtherAnalysisIsRequired')]"
          },
          "AllowIndexingOfEncryptedFiles": {
            "value": "[parameters('AllowIndexingOfEncryptedFiles')]"
          },
          "AllowTelemetry": {
            "value": "[parameters('AllowTelemetry')]"
          },
          "AllowUnencryptedTraffic": {
            "value": "[parameters('AllowUnencryptedTraffic')]"
          },
          "AlwaysInstallWithElevatedPrivileges": {
            "value": "[parameters('AlwaysInstallWithElevatedPrivileges')]"
          },
          "AlwaysPromptForPasswordUponConnection": {
            "value": "[parameters('AlwaysPromptForPasswordUponConnection')]"
          },
          "ApplicationSpecifyTheMaximumLogFileSizeKB": {
            "value": "[parameters('ApplicationSpecifyTheMaximumLogFileSizeKB')]"
          },
          "AutomaticallySendMemoryDumpsForOSgeneratedErrorReports": {
            "value": "[parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports')]"
          },
          "ConfigureDefaultConsent": {
            "value": "[parameters('ConfigureDefaultConsent')]"
          },
          "ConfigureWindowsSmartScreen": {
            "value": "[parameters('ConfigureWindowsSmartScreen')]"
          },
          "DisallowDigestAuthentication": {
            "value": "[parameters('DisallowDigestAuthentication')]"
          },
          "DisallowWinRMFromStoringRunAsCredentials": {
            "value": "[parameters('DisallowWinRMFromStoringRunAsCredentials')]"
          },
          "DoNotAllowPasswordsToBeSaved": {
            "value": "[parameters('DoNotAllowPasswordsToBeSaved')]"
          },
          "SecuritySpecifyTheMaximumLogFileSizeKB": {
            "value": "[parameters('SecuritySpecifyTheMaximumLogFileSizeKB')]"
          },
          "SetClientConnectionEncryptionLevel": {
            "value": "[parameters('SetClientConnectionEncryptionLevel')]"
          },
          "SetTheDefaultBehaviorForAutoRun": {
            "value": "[parameters('SetTheDefaultBehaviorForAutoRun')]"
          },
          "SetupSpecifyTheMaximumLogFileSizeKB": {
            "value": "[parameters('SetupSpecifyTheMaximumLogFileSizeKB')]"
          },
          "SystemSpecifyTheMaximumLogFileSizeKB": {
            "value": "[parameters('SystemSpecifyTheMaximumLogFileSizeKB')]"
          },
          "TurnOffDataExecutionPreventionForExplorer": {
            "value": "[parameters('TurnOffDataExecutionPreventionForExplorer')]"
          },
          "SpecifyTheIntervalToCheckForDefinitionUpdates": {
            "value": "[parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_WindowsFirewallProperties",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35d9882c-993d-44e6-87d2-db66ce21b636",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "WindowsFirewallDomainUseProfileSettings": {
            "value": "[parameters('WindowsFirewallDomainUseProfileSettings')]"
          },
          "WindowsFirewallDomainBehaviorForOutboundConnections": {
            "value": "[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]"
          },
          "WindowsFirewallDomainApplyLocalConnectionSecurityRules": {
            "value": "[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]"
          },
          "WindowsFirewallDomainApplyLocalFirewallRules": {
            "value": "[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]"
          },
          "WindowsFirewallDomainDisplayNotifications": {
            "value": "[parameters('WindowsFirewallDomainDisplayNotifications')]"
          },
          "WindowsFirewallPrivateUseProfileSettings": {
            "value": "[parameters('WindowsFirewallPrivateUseProfileSettings')]"
          },
          "WindowsFirewallPrivateBehaviorForOutboundConnections": {
            "value": "[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]"
          },
          "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": {
            "value": "[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]"
          },
          "WindowsFirewallPrivateApplyLocalFirewallRules": {
            "value": "[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]"
          },
          "WindowsFirewallPrivateDisplayNotifications": {
            "value": "[parameters('WindowsFirewallPrivateDisplayNotifications')]"
          },
          "WindowsFirewallPublicUseProfileSettings": {
            "value": "[parameters('WindowsFirewallPublicUseProfileSettings')]"
          },
          "WindowsFirewallPublicBehaviorForOutboundConnections": {
            "value": "[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]"
          },
          "WindowsFirewallPublicApplyLocalConnectionSecurityRules": {
            "value": "[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]"
          },
          "WindowsFirewallPublicApplyLocalFirewallRules": {
            "value": "[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]"
          },
          "WindowsFirewallPublicDisplayNotifications": {
            "value": "[parameters('WindowsFirewallPublicDisplayNotifications')]"
          },
          "WindowsFirewallDomainAllowUnicastResponse": {
            "value": "[parameters('WindowsFirewallDomainAllowUnicastResponse')]"
          },
          "WindowsFirewallPrivateAllowUnicastResponse": {
            "value": "[parameters('WindowsFirewallPrivateAllowUnicastResponse')]"
          },
          "WindowsFirewallPublicAllowUnicastResponse": {
            "value": "[parameters('WindowsFirewallPublicAllowUnicastResponse')]"
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "be7a78aa-3e10-4153-a5fd-8c6506dbc821"
}
BuiltIn Guest Configuration False True n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "Audit machines with insecure password security settings",
    "policyType": "BuiltIn",
    "description": "This initiative deploys the policy requirements and audits machines with insecure password security settings. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "1.0.0",
      "category": "Guest Configuration"
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "AINE_MaximumPasswordAge",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ceb8dc2-559c-478b-a15b-733fbf1e3738",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_MinimumPasswordAge",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237b38db-ca4d-4259-9e47-7882441ca2c0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_PasswordMustMeetComplexityRequirements",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_StorePasswordsUsingReversibleEncryption",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da0f98fe-a24b-4ad5-af69-bd0400233661",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_EnforcePasswordHistory",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_MinimumPasswordLength",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_PasswordPolicy_msid110",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_PasswordPolicy_msid121",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_PasswordPolicy_msid232",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/095e4ed9-c835-4ab6-9439-b5644362a06c",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "095e4ed9-c835-4ab6-9439-b5644362a06c"
}
BuiltIn Guest Configuration False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "Azure Security Benchmark",
    "policyType": "BuiltIn",
    "description": "The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.",
    "metadata": {
      "version": "29.2.0",
      "category": "Security Center"
    },
    "parameters": {
      "useServicePrincipalToProtectSubscriptionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Service principals should be used to protect your subscriptions instead of management certificates",
          "description": "Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "updateOsVersionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Operating system version should be the most current version for your cloud service roles",
          "description": "Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture.",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "resolveLogAnalyticsHealthIssuesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics agent health issues should be resolved on your machines",
          "description": "Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "installLogAnalyticsAgentOnVmMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring",
          "description": "This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "installLogAnalyticsAgentOnVmssMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring",
          "description": "Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "certificatesValidityPeriodMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Manage certificate validity period",
          "description": "Enable or disable manage certificate validity period."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "disabled"
      },
      "certificatesValidityPeriodInMonths": {
        "type": "Integer",
        "metadata": {
          "displayName": "The maximum validity period in months of managed certificate",
          "description": "The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren't best practice."
        },
        "defaultValue": 12
      },
      "secretsExpirationSetEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Key Vault secrets should have expiration dates set",
          "description": "Enable or disable key vault secrets should have expiration dates set."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "keysExpirationSetEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Key Vault keys should have expiration dates set",
          "description": "Enable or disable key vault keys should have expiration dates set."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "azurePolicyforWindowsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Guest Configuration extension should be installed on virtual machines",
          "description": "Enable or disable virtual machines reporting that the Guest Configuration extension should be installed"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "gcExtOnVMWithNoSAMIMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity",
          "description": "Enable or disable Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "windowsDefenderExploitGuardMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Defender Exploit Guard should be enabled on your Windows virtual machines",
          "description": "Enable or disable virtual machines reporting that Windows Defender Exploit Guard is enabled"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "windowsGuestConfigBaselinesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Config)",
          "description": "Enable or disable virtual machines reporting Windows Baselines in Guest Config"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "linuxGuestConfigBaselinesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Config)",
          "description": "Enable or disable virtual machines reporting Linux Baselines in Guest Config"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vmssSystemUpdatesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "System updates on virtual machine scale sets should be installed",
          "description": "Enable or disable virtual machine scale sets reporting of system updates"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vmssEndpointProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Endpoint protection solution should be installed on virtual machine scale sets",
          "description": "Enable or disable virtual machine scale sets endpoint protection monitoring"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vmssOsVulnerabilitiesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated",
          "description": "Enable or disable virtual machine scale sets OS vulnerabilities monitoring"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "systemUpdatesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "System updates should be installed on your machines",
          "description": "Enable or disable reporting of system updates"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "systemConfigurationsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerabilities in security configuration on your machines should be remediated",
          "description": "Enable or disable OS vulnerabilities monitoring (based on a configured baseline)"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "endpointProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Monitor missing Endpoint Protection in Azure Security Center",
          "description": "Enable or disable endpoint protection monitoring"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diskEncryptionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources",
          "description": "Enable or disable the monitoring for VM disk encryption"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "networkSecurityGroupsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor network security groups",
          "description": "Enable or disable monitoring of network security groups with permissive rules",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "networkSecurityGroupsOnSubnetsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Network Security Groups on the subnet level should be enabled",
          "description": "Enable or disable monitoring of NSGs on subnets"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "networkSecurityGroupsOnVirtualMachinesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Internet-facing virtual machines should be protected with network security groups",
          "description": "Enable or disable monitoring of NSGs on VMs"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "networkSecurityGroupsOnInternalVirtualMachinesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Non-internet-facing virtual machines should be protected with network security groups",
          "description": "Enable or disable monitoring of NSGs on VMs"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webApplicationFirewallMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM",
          "description": "Enable or disable the monitoring of unprotected web applications",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "nextGenerationFirewallMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "All network ports should be restricted on network security groups associated to your virtual machine",
          "description": "Enable or disable overly permissive inbound NSG rules monitoring."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vulnerabilityAssesmentMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution",
          "description": "Enable or disable the detection of VM vulnerabilities by a vulnerability assessment solution",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "serverVulnerabilityAssessmentEffect": {
        "type": "String",
        "metadata": {
          "displayName": "A vulnerability assessment solution should be enabled on your virtual machines",
          "description": "Enable or disable the detection of virtual machine vulnerabilities by Azure Security Center vulnerability assessment"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "storageEncryptionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Audit missing blob encryption for storage accounts",
          "description": "Enable or disable the monitoring of blob encryption for storage accounts",
          "deprecated": true
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "jitNetworkAccessMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Management ports of virtual machines should be protected with just-in-time network access control",
          "description": "Enable or disable the monitoring of network just-in-time access"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "adaptiveApplicationControlsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Adaptive application controls for defining safe applications should be enabled on your machines",
          "description": "Enable or disable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "adaptiveApplicationControlsUpdateMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Allowlist rules in your adaptive application control policy should be updated",
          "description": "Enable or disable the monitoring for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlAuditingMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor unaudited SQL servers in Azure Security Center",
          "description": "Enable or disable the monitoring of unaudited SQL databases",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "sqlEncryptionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor unencrypted SQL databases in Azure Security Center",
          "description": "Enable or disable the monitoring of unencrypted SQL databases",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "sqlDbEncryptionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Transparent Data Encryption on SQL databases should be enabled",
          "description": "Enable or disable the monitoring of unencrypted SQL databases"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlServerAuditingMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Auditing should be enabled on advanced data security settings on SQL Server",
          "description": "Enable or disable the monitoring of unaudited SQL Servers"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlServerAuditingActionsAndGroupsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: SQL Auditing settings should have Action-Groups configured to capture critical activities",
          "description": "Enable or disable the monitoring of auditing policy Action-Groups and Actions setting",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "SqlServerAuditingRetentionDaysMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: SQL servers should be configured with auditing retention days greater than 90 days",
          "description": "Enable or disable the monitoring of SQL servers with auditing retention period less than 90",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "diagnosticsLogsInAppServiceMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor resource logs in Azure App Services",
          "description": "Enable or disable the monitoring of resource logs in Azure App Services",
          "deprecated": true
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "diagnosticsLogsInSelectiveAppServicesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Resource logs in App Services should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Azure App Services",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "encryptionOfAutomationAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Automation account variables should be encrypted",
          "description": "Enable or disable the monitoring of automation account encryption"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "diagnosticsLogsInBatchAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Batch accounts should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Batch accounts"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInBatchAccountRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (in days) for logs in Batch accounts",
          "description": "The required resource logs retention period in days"
        },
        "defaultValue": "1"
      },
      "metricAlertsInBatchAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Metric alert rules should be configured on Batch accounts",
          "description": "Enable or disable the monitoring of metric alerts in Batch accounts",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "classicComputeVMsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Virtual machines should be migrated to new Azure Resource Manager resources",
          "description": "Enable or disable the monitoring of classic compute VMs"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "classicStorageAccountsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Storage accounts should be migrated to new Azure Resource Manager resources",
          "description": "Enable or disable the monitoring of classic storage accounts"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "diagnosticsLogsInDataLakeAnalyticsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Data Lake Analytics should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Data Lake Analytics accounts"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInDataLakeAnalyticsRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (in days) of logs in Data Lake Analytics accounts",
          "description": "The required resource logs retention period in days"
        },
        "defaultValue": "1"
      },
      "diagnosticsLogsInDataLakeStoreMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Azure Data Lake Store should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Data Lake Store accounts"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInDataLakeStoreRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (in days) of logs in Data Lake Store accounts",
          "description": "The required resource logs retention period in days"
        },
        "defaultValue": "1"
      },
      "diagnosticsLogsInEventHubMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Event Hub should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Event Hub accounts"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInEventHubRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (in days) of logs in Event Hub accounts",
          "description": "The required resource logs retention period in days"
        },
        "defaultValue": "1"
      },
      "diagnosticsLogsInKeyVaultMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Key Vault should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Key Vault vaults"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInKeyVaultRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (in days) of logs in Key Vault vaults",
          "description": "The required resource logs retention period in days"
        },
        "defaultValue": "1"
      },
      "diagnosticsLogsInLogicAppsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Logic Apps should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Logic Apps workflows"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInLogicAppsRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (in days) of logs in Logic Apps workflows",
          "description": "The required resource logs retention period in days"
        },
        "defaultValue": "1"
      },
      "diagnosticsLogsInRedisCacheMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Only secure connections to your Redis Cache should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Azure Redis Cache"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "diagnosticsLogsInSearchServiceMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Search services should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Azure Search service"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInSearchServiceRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (in days) of logs in Azure Search service",
          "description": "The required resource logs retention period in days"
        },
        "defaultValue": "1"
      },
      "aadAuthenticationInServiceFabricMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Service Fabric clusters should only use Azure Active Directory for client authentication",
          "description": "Enable or disable the monitoring of Azure Active Directory for client authentication in Service Fabric"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "clusterProtectionLevelInServiceFabricMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign",
          "description": "Enable or disable the monitoring of cluster protection level in Service Fabric"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "diagnosticsLogsInServiceBusMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Service Bus should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Service Bus"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInServiceBusRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (in days) of logs in Service Bus",
          "description": "The required resource logs retention period in days"
        },
        "defaultValue": "1"
      },
      "namespaceAuthorizationRulesInServiceBusMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace",
          "description": "Enable or disable the monitoring of Service Bus namespace authorization rules",
          "deprecated": true
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "aadAuthenticationInSqlServerMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "An Azure Active Directory administrator should be provisioned for SQL servers",
          "description": "Enable or disable the monitoring of an Azure AD admininistrator for SQL server"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "secureTransferToStorageAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Secure transfer to storage accounts should be enabled",
          "description": "Enable or disable the monitoring of secure transfer to storage account"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "diagnosticsLogsInStreamAnalyticsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Azure Stream Analytics should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Stream Analytics"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInStreamAnalyticsRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (in days) of logs in Stream Analytics",
          "description": "The required resource logs retention period in days"
        },
        "defaultValue": "1"
      },
      "useRbacRulesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Audit usage of custom RBAC rules",
          "description": "Enable or disable the monitoring of using built-in RBAC rules"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "disableUnrestrictedNetworkToStorageAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Audit unrestricted network access to storage accounts",
          "description": "Enable or disable the monitoring of network access to storage account"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "diagnosticsLogsInServiceFabricMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Virtual Machine Scale Sets should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Service Fabric"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "accessRulesInEventHubNamespaceMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace",
          "description": "Enable or disable the monitoring of access rules in Event Hub namespaces",
          "deprecated": true
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "accessRulesInEventHubMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Authorization rules on the Event Hub instance should be defined",
          "description": "Enable or disable the monitoring of access rules in Event Hubs",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "sqlDbVulnerabilityAssesmentMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "SQL databases should have vulnerability findings resolved",
          "description": "Enable or disable the monitoring of vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "serverSqlDbVulnerabilityAssesmentMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "SQL servers on machines should have vulnerability findings resolved",
          "description": "SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlDbDataClassificationMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Sensitive data in your SQL databases should be classified",
          "description": "Enable or disable the monitoring of sensitive data classification in databases."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityDesignateLessThanOwnersMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "A maximum of 3 owners should be designated for your subscription",
          "description": "Enable or disable the monitoring of maximum owners in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityDesignateMoreThanOneOwnerMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "There should be more than one owner assigned to your subscription",
          "description": "Enable or disable the monitoring of minimum owners in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
          "description": "Enable or disable the monitoring of MFA for accounts with owner permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForWritePermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "MFA should be enabled accounts with write permissions on your subscription",
          "description": "Enable or disable the monitoring of MFA for accounts with write permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForReadPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "MFA should be enabled on accounts with read permissions on your subscription",
          "description": "Enable or disable the monitoring of MFA for accounts with read permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deprecated accounts with owner permissions should be removed from your subscription",
          "description": "Enable or disable the monitoring of deprecated acounts with owner permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveDeprecatedAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deprecated accounts should be removed from your subscription",
          "description": "Enable or disable the monitoring of deprecated acounts in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "External accounts with owner permissions should be removed from your subscription",
          "description": "Enable or disable the monitoring of external acounts with owner permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "External accounts with write permissions should be removed from your subscription",
          "description": "Enable or disable the monitoring of external acounts with write permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "External accounts with read permissions should be removed from your subscription",
          "description": "Enable or disable the monitoring of external acounts with read permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "apiAppConfigureIPRestrictionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor Configure IP restrictions for API App",
          "description": "Enable or disable the monitoring of IP restrictions for API App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "functionAppConfigureIPRestrictionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor Configure IP restrictions for Function App",
          "description": "Enable or disable the monitoring of IP restrictions for Function App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "webAppConfigureIPRestrictionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor Configure IP restrictions for Web App",
          "description": "Enable or disable the monitoring of IP restrictions for Web App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "apiAppDisableRemoteDebuggingMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Remote debugging should be turned off for API App",
          "description": "Enable or disable the monitoring of remote debugging for API App"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "functionAppDisableRemoteDebuggingMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Remote debugging should be turned off for Function App",
          "description": "Enable or disable the monitoring of remote debugging for Function App"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppDisableRemoteDebuggingMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Remote debugging should be turned off for Web Application",
          "description": "Enable or disable the monitoring of remote debugging for Web App"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "apiAppAuditFtpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: FTPS should be required in your API App",
          "description": "Enable FTPS enforcement for enhanced security",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "functionAppAuditFtpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: FTPS should be required in your Function App",
          "description": "Enable FTPS enforcement for enhanced security",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "webAppAuditFtpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: FTPS should be required in your Web App",
          "description": "Enable FTPS enforcement for enhanced security",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "apiAppUseManagedIdentityMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: A managed identity should be used in your API App",
          "description": "Use a managed identity for enhanced authentication security",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "functionAppUseManagedIdentityMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: A managed identity should be used in your Function App",
          "description": "Use a managed identity for enhanced authentication security",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "webAppUseManagedIdentityMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: A managed identity should be used in your Web App",
          "description": "Use a managed identity for enhanced authentication security",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "apiAppRequireLatestTlsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Latest TLS version should be used in your API App",
          "description": "Upgrade to the latest TLS version",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "functionAppRequireLatestTlsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Latest TLS version should be used in your Function App",
          "description": "Upgrade to the latest TLS version",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "webAppRequireLatestTlsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Latest TLS version should be used in your Web App",
          "description": "Upgrade to the latest TLS version",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "apiAppDisableWebSocketsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor disable web sockets for API App",
          "description": "Enable or disable the monitoring of web sockets for API App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "functionAppDisableWebSocketsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor disable web sockets for Function App",
          "description": "Enable or disable the monitoring of web sockets for Function App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "webAppDisableWebSocketsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor disable web sockets for Web App",
          "description": "Enable or disable the monitoring of web sockets for Web App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "apiAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: API App should only be accessible over HTTPS",
          "description": "Enable or disable the monitoring of the use of HTTPS in API App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "functionAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Function App should only be accessible over HTTPS",
          "description": "Enable or disable the monitoring of the use of HTTPS in function App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "webAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Web Application should only be accessible over HTTPS",
          "description": "Enable or disable the monitoring of the use of HTTPS in Web App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "apiAppEnforceHttpsMonitoringEffectV2": {
        "type": "String",
        "metadata": {
          "displayName": "API App should only be accessible over HTTPS V2",
          "description": "Enable or disable the monitoring of the use of HTTPS in API App V2"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "functionAppEnforceHttpsMonitoringEffectV2": {
        "type": "String",
        "metadata": {
          "displayName": "Function App should only be accessible over HTTPS V2",
          "description": "Enable or disable the monitoring of the use of HTTPS in function App V2"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "webAppEnforceHttpsMonitoringEffectV2": {
        "type": "String",
        "metadata": {
          "displayName": "Web Application should only be accessible over HTTPS V2",
          "description": "Enable or disable the monitoring of the use of HTTPS in Web App V2"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "apiAppRestrictCORSAccessMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "CORS should not allow every resource to access your API App",
          "description": "Enable or disable the monitoring of CORS restrictions for API App"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "functionAppRestrictCORSAccessMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "CORS should not allow every resource to access your Function App",
          "description": "Enable or disable the monitoring of CORS restrictions for API Function"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppRestrictCORSAccessMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "CORS should not allow every resource to access your Web Application",
          "description": "Enable or disable the monitoring of CORS restrictions for API Web"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "apiAppUsedCustomDomainsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor the custom domain use in API App",
          "description": "Enable or disable the monitoring of custom domain use in API App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "functionAppUsedCustomDomainsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor the custom domain use in Function App",
          "description": "Enable or disable the monitoring of custom domain use in Function App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "webAppUsedCustomDomainsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor the custom domain use in Web App",
          "description": "Enable or disable the monitoring of custom domain use in Web App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "apiAppUsedLatestDotNetMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor use latest .NET in API App",
          "description": "Enable or disable the monitoring of .NET version in API App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "webAppUsedLatestDotNetMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor use latest .NET in Web App",
          "description": "Enable or disable the monitoring of .NET version in Web App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "apiAppUsedLatestJavaMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor use latest Java in API App",
          "description": "Enable or disable the monitoring of Java version in API App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "webAppUsedLatestJavaMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor use latest Java in Web App",
          "description": "Enable or disable the monitoring of Java version in Web App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "webAppUsedLatestNodeJsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor use latest Node.js in Web App",
          "description": "Enable or disable the monitoring of Node.js version in Web App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "apiAppUsedLatestPHPMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor use latest PHP in API App",
          "description": "Enable or disable the monitoring of PHP version in API App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "webAppUsedLatestPHPMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor use latest PHP in Web App",
          "description": "Enable or disable the monitoring of PHP version in Web App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "apiAppUsedLatestPythonMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor use latest Python in API App",
          "description": "Enable or disable the monitoring of Python version in API App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "webAppUsedLatestPythonMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Monitor use latest Python in Web App",
          "description": "Enable or disable the monitoring of Python version in Web App",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "vnetEnableDDoSProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure DDoS Protection Standard should be enabled",
          "description": "Enable or disable the monitoring of DDoS protection for virtual network"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInIoTHubMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in IoT Hub should be enabled",
          "description": "Enable or disable the monitoring of resource logs in IoT Hubs"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInIoTHubRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (in days) of logs in IoT Hub accounts",
          "description": "The required resource logs retention period in days"
        },
        "defaultValue": "1"
      },
      "sqlServerAdvancedDataSecurityMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers",
          "description": "Enable or disable the monitoring of SQL servers without Advanced Data Security"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlManagedInstanceAdvancedDataSecurityMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances",
          "description": "Enable or disable the monitoring of each SQL Managed Instance without advanced data security."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlServerAdvancedDataSecurityEmailsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts",
          "description": "Enable or disable the monitoring that advanced data security settings for SQL server contain at least one email address to receive security alerts",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address to receive security alerts",
          "description": "Enable or disable the monitoring that advanced data security settings for SQL Managed Instance contain at least one email address to receive security alerts.",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings",
          "description": "Enable or disable auditing that 'email notification to admins and subscription owners' is enabled in the SQL Server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins.",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL Managed Instance advanced data security settings",
          "description": "Enable or disable auditing that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins.",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "kubernetesServiceRbacEnabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Role-Based Access Control (RBAC) should be used on Kubernetes Services",
          "description": "Enable or disable the monitoring of Kubernetes Services without RBAC enabled"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "kubernetesServicePspEnabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Pod Security Policies should be defined on Kubernetes Services",
          "description": "Enable or disable the monitoring of Kubernetes Services without Pod Security Policy enabled",
          "deprecated": true
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "kubernetesServiceAuthorizedIPRangesEnabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Authorized IP ranges should be defined on Kubernetes Services",
          "description": "Enable or disable the monitoring of Kubernetes Services without Authorized IP Ranges enabled"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "kubernetesServiceVersionUpToDateMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Kubernetes Services should be upgraded to a non vulnerable Kubernetes version",
          "description": "Enable or disable the monitoring of the Kubernetes Services with versions that contain known vulnerabilities",
          "deprecated": true
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerability assessment should be enabled on SQL Managed Instance",
          "description": "Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vulnerabilityAssessmentOnServerMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerability assessment should be enabled on your SQL servers",
          "description": "Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "threatDetectionTypesOnManagedInstanceMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings",
          "description": "It's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "threatDetectionTypesOnServerMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings",
          "description": "It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "adaptiveNetworkHardeningsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Adaptive network hardening recommendations should be applied on internet facing virtual machines",
          "description": "Enable or disable the monitoring of Internet-facing virtual machines for Network Security Group traffic hardening recommendations"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "restrictAccessToManagementPortsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Management ports should be closed on your virtual machines",
          "description": "Enable or disable the monitoring of open management ports on Virtual Machines"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "restrictAccessToAppServicesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Access to App Services should be restricted",
          "description": "Enable or disable the monitoring of permissive network access to app-services",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "disableIPForwardingMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "IP Forwarding on your virtual machine should be disabled",
          "description": "Enable or disable the monitoring of IP forwarding on virtual machines"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "ensureServerTDEIsEncryptedWithYourOwnKeyMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "SQL server TDE protector should be encrypted with your own key",
          "description": "Enable or disable the monitoring of Transparent Data Encryption (TDE) with your own key support. TDE with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "ensureManagedInstanceTDEIsEncryptedWithYourOwnKeyMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "SQL Managed Instance TDE protector should be encrypted with your own key",
          "description": "Enable or disable the monitoring of Transparent Data Encryption (TDE) with your own key support. TDE with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "containerBenchmarkMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerabilities in container security configurations should be remediated",
          "description": "Enable or disable container benchmark monitoring"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "ASCDependencyAgentAuditWindowsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Dependency Agent for Windows VMs monitoring",
          "description": "Enable or disable Dependency Agent for Windows VMs"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "ASCDependencyAgentAuditLinuxEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Dependency Agent for Linux VMs monitoring",
          "description": "Enable or disable Dependency Agent for Linux VMs"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "AzureFirewallEffect": {
        "type": "String",
        "metadata": {
          "displayName": "All Internet traffic should be routed via your deployed Azure Firewall",
          "description": "Enable or disable All Internet traffic should be routed via your deployed Azure Firewall"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "ArcWindowsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics agent should be installed on your  Windows Azure Arc machines",
          "description": "Enable or disable Log Analytics agent should be installed on your  Windows Azure Arc machines"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "ArcLinuxMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics agent should be installed on your Linux Azure Arc machines",
          "description": "Enable or disable Log Analytics agent should be installed on your Linux Azure Arc machines"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "keyVaultsAdvancedDataSecurityMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Defender for Key Vault should be enabled",
          "description": "Enable or disable Azure Defender for Key Vault"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlServersAdvancedDataSecurityMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Defender for Azure SQL Database servers should be enabled",
          "description": "Enable or disable Azure Defender for Azure SQL Database servers"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlServersVirtualMachinesAdvancedDataSecurityMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Defender for SQL servers on machines should be enabled",
          "description": "Enable or disable Azure Defender for SQL servers on Machines"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "storageAccountsAdvancedDataSecurityMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Defender for Storage should be enabled",
          "description": "Enable or disable Azure Defender for storage"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "appServicesAdvancedThreatProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Defender for App Services should be enabled",
          "description": "Enable or disable Azure Defender for App Service"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "containerRegistryAdvancedThreatProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Defender for container registries should be enabled",
          "description": "Enable or disable Azure Defender for container registries"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "kubernetesServiceAdvancedThreatProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Defender for Kubernetes should be enabled",
          "description": "Enable or disable Azure Defender for Kubernetes"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "virtualMachinesAdvancedThreatProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Defender for servers should be enabled",
          "description": "Enable or disable Azure Defender for servers"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "azurePolicyAddonStatusEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Policy Add-on for Kubernetes should be installed and enabled on Azure Kubernetes Service (AKS) clusters",
          "description": "Enable or disable reporting of the Azure Policy Add-on is enabled on Azure Kubernetes managed cluster"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "allowedContainerImagesInKubernetesClusterEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Container images should be deployed from trusted registries only",
          "description": "Enable or disable monitoring of allowed container images in Kubernetes clusters"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedContainerImagesInKubernetesClusterRegex": {
        "type": "String",
        "metadata": {
          "displayName": "Allowed container images regex",
          "description": "The RegEx rule used to match allowed container images in a Kubernetes cluster. For example, to allow any Azure Container Registry image by matching partial path: ^.+azurecr.io/.+$"
        },
        "defaultValue": "^(.+){0}$"
      },
      "allowedContainerImagesNamespaceExclusion": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces to exclude from monitoring of allowed container images",
          "description": "List of Kubernetes namespaces to exclude from evaluation of allowed container images in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "privilegedContainersShouldBeAvoidedEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Privileged containers should be avoided",
          "description": "Enable or disable monitoring of privileged containers in Kubernetes clusters"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "privilegedContainerNamespaceExclusion": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces to exclude from monitoring of privileged containers",
          "description": "List of Kubernetes namespaces to exclude from evaluation of privileged containers in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "allowedContainerPortsInKubernetesClusterEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Containers should listen on allowed ports only",
          "description": "Enable or disable monitoring of allowed container ports in Kubernetes clusters"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedContainerPortsInKubernetesClusterPorts": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed container ports list",
          "description": "List of container ports allowed in Kubernetes cluster. Use ; to separate values"
        },
        "defaultValue": [
          "-1"
        ]
      },
      "allowedContainerPortsInKubernetesClusterNamespaceExclusion": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces to exclude from monitoring of allowed container port",
          "description": "List of Kubernetes namespaces to exclude from evaluation of allowed container ports in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "allowedServicePortsInKubernetesClusterEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Services should listen on allowed ports only",
          "description": "Enable or disable monitoring of allowed service ports in Kubernetes clusters"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedservicePortsInKubernetesClusterPorts": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed service ports list",
          "description": "List of service ports allowed in Kubernetes cluster. Use ; to separate values"
        },
        "defaultValue": [
          "-1"
        ]
      },
      "allowedServicePortsInKubernetesClusterNamespaceExclusion": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces to exclude from monitoring of allowed service ports",
          "description": "List of Kubernetes namespaces to exclude from evaluation of allowed service ports in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "NoPrivilegeEscalationInKubernetesClusterEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Container with privileged escalation should be avoided",
          "description": "Enable or disable monitoring of privileged escalation containers in Kubernetes clusters"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "NoPrivilegeEscalationInKubernetesClusterNamespaceExclusion": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces to exclude from monitoring of privileged escalation containers",
          "description": "List of Kubernetes namespaces to exclude from evaluation of privileged escalation containers in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "NoSharingSensitiveHostNamespacesInKubernetesEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Containers sharing sensitive host namespaces should be avoided",
          "description": "Enable or disable monitoring of shared sensitive host namespaces in Kubernetes clusters"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "NoSharingSensitiveHostNamespacesInKubernetesNamespaceExclusion": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces to exclude from monitoring of sharing sensitive host namespaces in Kubernetes clusters",
          "description": "List of Kubernetes namespaces to exclude from evaluation of  sharing sensitive host namespaces in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "ReadOnlyRootFileSystemInKubernetesClusterEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Immutable (read-only) root filesystem should be enforced for containers",
          "description": "Enable or disable monitoring of containers running with a read only root file system in Kubernetes clusters"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "ReadOnlyRootFileSystemInKubernetesClusterNamespaceExclusion": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces to exclude from monitoring of containers running with a read only root file system",
          "description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers running with a read only root file system in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "AllowedCapabilitiesInKubernetesClusterEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Least privileged Linux capabilities should be enforced for containers",
          "description": "Enable or disable monitoring of Kubernetes containers using allowed capabilities only"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "AllowedCapabilitiesInKubernetesClusterNamespaceExclusion": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces to exclude from monitoring of containers use only allowed capabilities",
          "description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers using only allowed capabilities in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "AllowedCapabilitiesInKubernetesClusterList": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed capabilities",
          "description": "The list of capabilities that are allowed to be added to a container. Provide empty list as input to block everything."
        },
        "defaultValue": []
      },
      "DropCapabilitiesInKubernetesClusterList": {
        "type": "Array",
        "metadata": {
          "displayName": "Required drop capabilities",
          "description": "The list of capabilities that must be dropped by a container."
        },
        "defaultValue": []
      },
      "AllowedAppArmorProfilesInKubernetesClusterEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Overriding or disabling of containers AppArmor profile should be restricted",
          "description": "Enable or disable monitoring of modification of Kubernetes containers' AppArmor profile"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "AllowedAppArmorProfilesInKubernetesClusterNamespaceExclusion": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces to exclude from monitoring of containers modification of AppArmor profile",
          "description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers modifying of AppArmor profile in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "AllowedAppArmorProfilesInKubernetesClusterList": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed AppArmor profiles",
          "description": "The list of AppArmor profiles that containers are allowed to use. E.g. 'runtime/default;docker/default'. Provide empty list as input to block everything."
        },
        "defaultValue": []
      },
      "AllowedHostNetworkingAndPortsInKubernetesClusterEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Usage of host networking and ports should be restricted",
          "description": "Enable or disable monitoring of Kubernetes containers' host networking and port ranges"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "AllowedHostNetworkingAndPortsInKubernetesClusterNamespaceExclusion": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces to exclude from monitoring of containers host networking and ports",
          "description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers host networking and ports in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "AllowHostNetworkingInKubernetesCluster": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Allow host network usage",
          "description": "Set this value to true if pod is allowed to use host network otherwise false."
        },
        "defaultValue": false
      },
      "AllowedHostMinPortInKubernetesCluster": {
        "type": "Integer",
        "metadata": {
          "displayName": "Min host port",
          "description": "The minimum value in the allowable host port range that pods can use in the host network namespace."
        },
        "defaultValue": 0
      },
      "AllowedHostMaxPortInKubernetesCluster": {
        "type": "Integer",
        "metadata": {
          "displayName": "Max host port",
          "description": "The maximum value in the allowable host port range that pods can use in the host network namespace."
        },
        "defaultValue": 0
      },
      "AllowedHostPathVolumesInKubernetesClusterEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers",
          "description": "Enable or disable monitoring of pod HostPath volume mounts in Kubernetes clusters"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "AllowedHostPathVolumesInKubernetesClusterNamespaceExclusion": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces to exclude from monitoring of pod HostPath volume mounts",
          "description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of pod HostPath volume mounts in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "AllowedHostPathVolumesInKubernetesClusterList": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed host paths",
          "description": "The host paths allowed for pod hostPath volumes to use. Provide an empty paths list to block all host paths.",
          "schema": {
            "type": "object",
            "properties": {
              "paths": {
                "type": "array",
                "items": {
                  "type": "object",
                  "properties": {
                    "pathPrefix": {
                      "type": "string"
                    },
                    "readOnly": {
                      "type": "boolean"
                    }
                  },
                  "required": [
                    "pathPrefix",
                    "readOnly"
                  ],
                  "additionalProperties": false
                }
              }
            },
            "required": [
              "paths"
            ],
            "additionalProperties": false
          }
        },
        "defaultValue": {
          "paths": []
        }
      },
      "memoryAndCPULimitsInKubernetesClusterEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Containers' CPU and memory limits should be enforced",
          "description": "Enable or disable monitoring of containers' CPU and memory limits in Kubernetes clusters"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "memoryInKubernetesClusterLimit": {
        "type": "String",
        "metadata": {
          "displayName": "Max allowed memory bytes in Kubernetes cluster",
          "description": "The maximum memory bytes allowed for a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits"
        },
        "defaultValue": "0"
      },
      "CPUInKubernetesClusterLimit": {
        "type": "String",
        "metadata": {
          "displayName": "Max allowed CPU units in Kubernetes cluster",
          "description": "The maximum CPU units allowed for a container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"
        },
        "defaultValue": "0"
      },
      "memoryAndCPULimitsInKubernetesClusterNamespaceExclusion": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces to exclude from monitoring of memory and CPU limits",
          "description": "List of Kubernetes namespaces to exclude from evaluation of memory and CPU limits in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "MustRunAsNonRootNamespaceExclusion": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces to exclude from monitoring of containers running as root user",
          "description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers running as root users. To list multiple namespaces, use semicolons (;) to separate them."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "MustRunAsNonRootNamespaceEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Kubernetes containers should not be run as root user",
          "description": "Enable or disable monitoring of containers running as root user in Kubernetes nodes"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "arcEnabledKubernetesClustersShouldHaveAzureDefendersExtensionInstalled": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed",
          "description": "Enable or disable the monitoring of Arc enabled Kubernetes clusters without Azure Defender's extension installed"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "containerRegistryVulnerabilityAssessmentEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerabilities in Azure Container Registry images should be remediated",
          "description": "Enable or disable monitoring of Azure container registries by Azure Security Center vulnerability assessment (powered by Qualys)"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "disallowPublicBlobAccessEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Storage account public access should be disallowed",
          "description": "Enable or disable reporting of Storage Accounts that allow public access"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "azureBackupShouldBeEnabledForVirtualMachinesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Backup should be enabled for Virtual Machines",
          "description": "Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "managedIdentityShouldBeUsedInYourFunctionAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Managed identity should be used in your Function App",
          "description": "Use a managed identity for enhanced authentication security"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "georedundantBackupShouldBeEnabledForAzureDatabaseForMariadbMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Georedundant backup should be enabled for Azure Database for MariaDB",
          "description": "Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "managedIdentityShouldBeUsedInYourWebAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Managed identity should be used in your Web App",
          "description": "Use a managed identity for enhanced authentication security"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "georedundantBackupShouldBeEnabledForAzureDatabaseForPostgresqlMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Georedundant backup should be enabled for Azure Database for PostgreSQL",
          "description": "Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "ensureWEBAppHasClientCertificatesIncomingClientCertificatesSetToOnMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Ensure WEB app has Client Certificates Incoming client certificates set to On",
          "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "georedundantBackupShouldBeEnabledForAzureDatabaseForMysqlMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Georedundant backup should be enabled for Azure Database for MySQL",
          "description": "Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "latestTLSVersionShouldBeUsedInYourAPIAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Latest TLS version should be used in your API App",
          "description": "Upgrade to the latest TLS version"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticLogsInAppServicesShouldBeEnabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in App Services should be enabled",
          "description": "Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "managedIdentityShouldBeUsedInYourAPIAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Managed identity should be used in your API App",
          "description": "Use a managed identity for enhanced authentication security"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "enforceSSLConnectionShouldBeEnabledForPostgresqlDatabaseServersMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Enforce SSL connection should be enabled for PostgreSQL database servers",
          "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "enforceSSLConnectionShouldBeEnabledForMysqlDatabaseServersMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Enforce SSL connection should be enabled for MySQL database servers",
          "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "latestTLSVersionShouldBeUsedInYourWebAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Latest TLS version should be used in your Web App",
          "description": "Upgrade to the latest TLS version"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "latestTLSVersionShouldBeUsedInYourFunctionAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Latest TLS version should be used in your Function App",
          "description": "Upgrade to the latest TLS version"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Ensure that PHP version is the latest if used as a part of the API app",
          "description": "Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheWEBAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Ensure that PHP version is the latest if used as a part of the WEB app",
          "description": "Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Ensure that Java version is the latest if used as a part of the Web app",
          "description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Ensure that Java version is the latest if used as a part of the Function app",
          "description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Ensure that Java version is the latest if used as a part of the API app",
          "description": "Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Ensure that Python version is the latest if used as a part of the Web app",
          "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Ensure that Python version is the latest if used as a part of the Function app",
          "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Ensure that Python version is the latest if used as a part of the API app",
          "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "privateEndpointShouldBeEnabledForPostgresqlServersMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint should be enabled for PostgreSQL servers",
          "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "privateEndpointShouldBeEnabledForMariadbServersMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint should be enabled for MariaDB servers",
          "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "privateEndpointShouldBeEnabledForMysqlServersMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint should be enabled for MySQL servers",
          "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sQLServersShouldBeConfiguredWithAuditingRetentionDaysGreaterThan90DaysMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "SQL servers should be configured with auditing retention days greater than 90 days",
          "description": "Audit SQL servers configured with an auditing retention period of less than 90 days."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "fTPSOnlyShouldBeRequiredInYourFunctionAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "FTPS only should be required in your Function App",
          "description": "Enable FTPS enforcement for enhanced security"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "fTPSShouldBeRequiredInYourWebAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "FTPS should be required in your Web App",
          "description": "Enable FTPS enforcement for enhanced security"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "fTPSOnlyShouldBeRequiredInYourAPIAppMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "FTPS only should be required in your API App",
          "description": "Enable FTPS enforcement for enhanced security"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Function apps should have 'Client Certificates (Incoming client certificates)' enabled",
          "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "cognitiveServicesAccountsShouldEnableDataEncryptionWithACustomerManagedKeyMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key",
          "description": "Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed key encryption at https://aka.ms/cosmosdb-cmk."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "azureCosmosDbAccountsShouldUseCustomerManagedKeysToEncryptDataAtRestMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest",
          "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed key encryption at https://aka.ms/cosmosdb-cmk."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "disabled"
      },
      "keyVaultsShouldHavePurgeProtectionEnabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Key vaults should have purge protection enabled",
          "description": "Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "keyVaultsShouldHaveSoftDeleteEnabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Key vaults should have soft delete enabled",
          "description": "Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "azureCacheForRedisShouldResideWithinAVirtualNetworkMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Cache for Redis should reside within a virtual network",
          "description": "Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "storageAccountsShouldUseCustomerManagedKeyForEncryptionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Storage accounts should use customer-managed key for encryption",
          "description": "Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "storageAccountsShouldRestrictNetworkAccessUsingVirtualNetworkRulesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Storage accounts should restrict network access using virtual network rules",
          "description": "Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "containerRegistriesShouldBeEncryptedWithACustomerManagedKeyMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Container registries should be encrypted with a customer-managed key",
          "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed key encryption at https://aka.ms/acr/CMK."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "containerRegistriesShouldNotAllowUnrestrictedNetworkAccessMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Container registries should not allow unrestricted network access",
          "description": "Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "containerRegistriesShouldUsePrivateLinkMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Container registries should use private link",
          "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "appConfigurationShouldUsePrivateLinkMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "App Configuration should use private link",
          "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "azureEventGridDomainsShouldUsePrivateLinkMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Event Grid domains should use private link",
          "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your Event Grid domains instead of the entire service, you'll also be protected against data leakage risks.Learn more at: https://aka.ms/privateendpoints."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "azureEventGridTopicsShouldUsePrivateLinkMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Event Grid topics should use private link",
          "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your topics instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "azureSignalRServiceShouldUsePrivateLinkMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure SignalR Service should use private link",
          "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your  SignalR resources instead of the entire service, you'll also be protected against data leakage risks .Learn more at: https://aka.ms/asrs/privatelink."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "azureMachineLearningWorkspacesShouldBeEncryptedWithACustomerManagedKeyMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Machine Learning workspaces should be encrypted with a customer-managed key",
          "description": "Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed key encryption at https://aka.ms/azureml-workspaces-cmk."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "azureMachineLearningWorkspacesShouldUsePrivateLinkMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Machine Learning workspaces should use private link",
          "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Machine Learning workspaces instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/azureml-workspaces-privatelink."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "webApplicationFirewallShouldBeEnabledForAzureFrontDoorServiceServiceMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Web Application Firewall (WAF) should be enabled for Azure Front Door Service service",
          "description": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "webApplicationFirewallShouldBeEnabledForApplicationGatewayMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Web Application Firewall (WAF) should be enabled for Application Gateway",
          "description": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "publicNetworkAccessShouldBeDisabledForMariaDbServersMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Public network access should be disabled for MariaDB servers",
          "description": "Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "publicNetworkAccessShouldBeDisabledForMySqlServersMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Public network access should be disabled for MySQL servers",
          "description": "Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "bringYourOwnKeyDataProtectionShouldBeEnabledForMySqlServersMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "MySQL servers should use customer-managed keys to encrypt data at rest",
          "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "publicNetworkAccessShouldBeDisabledForPostgreSqlServersMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Public network access should be disabled for PostgreSQL servers",
          "description": "Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "bringYourOwnKeyDataProtectionShouldBeEnabledForPostgreSqlServersMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "PostgreSQL servers should use customer-managed keys to encrypt data at rest",
          "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "vmImageBuilderTemplatesShouldUsePrivateLinkMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "VM Image Builder templates should use private link",
          "description": "Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead which may directly expose resources to the internet and increase the potential attack surface."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "firewallShouldBeEnabledOnKeyVaultMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Firewall should be enabled on Key Vault",
          "description": "Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "privateEndpointShouldBeConfiguredForKeyVaultMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint should be configured for Key Vault",
          "description": "Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "azureSpringCloudShouldUseNetworkInjectionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Spring Cloud should use network injection",
          "description": "Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "subscriptionsShouldHaveAContactEmailAddressForSecurityIssuesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Subscriptions should have a contact email address for security issues",
          "description": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "autoProvisioningOfTheLogAnalyticsAgentShouldBeEnabledOnYourSubscriptionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Auto provisioning of the Log Analytics agent should be enabled on your subscription",
          "description": "To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "emailNotificationForHighSeverityAlertsShouldBeEnabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Email notification for high severity alerts should be enabled",
          "description": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "emailNotificationToSubscriptionOwnerForHighSeverityAlertsShouldBeEnabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Email notification to subscription owner for high severity alerts should be enabled",
          "description": "To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "storageAccountShouldUseAPrivateLinkConnectionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Storage account should use a private link connection",
          "description": "Private links enforce secure communication, by providing private connectivity to the storage account"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "authenticationToLinuxMachinesShouldRequireSSHKeysMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Authentication to Linux machines should require SSH keys",
          "description": "Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "privateEndpointConnectionsOnAzureSQLDatabaseShouldBeEnabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint connections on Azure SQL Database should be enabled",
          "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "publicNetworkAccessOnAzureSQLDatabaseShouldBeDisabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Public network access on Azure SQL Database should be disabled",
          "description": "Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "ensureAPIAppHasClientCertificatesIncomingClientCertificatesSetToOnMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Ensure API app has Client Certificates Incoming client certificates set to On",
          "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "kubernetesClustersShouldBeAccessibleOnlyOverHTTPSMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Kubernetes clusters should be accessible only over HTTPS",
          "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "kubernetesClustersShouldBeAccessibleOnlyOverHTTPSExcludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "kubernetesClustersShouldBeAccessibleOnlyOverHTTPSNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      },
      "windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Windows web servers should be configured to use secure communication protocols",
          "description": "To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsIncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsMinimumTLSVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum TLS version",
          "description": "The minimum TLS protocol version that should be enabled. Windows web servers with lower TLS versions will be marked as non-compliant."
        },
        "allowedValues": [
          "1.1",
          "1.2"
        ],
        "defaultValue": "1.1"
      },
      "cognitiveServicesAccountsShouldRestrictNetworkAccessMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Cognitive Services accounts should restrict network access",
          "description": "Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "cognitiveServicesAccountsShouldUseCustomerOwnedStorageOrEnableDataEncryptionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption",
          "description": "This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption.",
          "deprecated": true
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "publicNetworkAccessShouldBeDisabledForCognitiveServicesAccountsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Public network access should be disabled for Cognitive Services accounts",
          "description": "This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "cognitiveServicesAccountsShouldEnableDataEncryptionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Cognitive Services accounts should enable data encryption",
          "description": "This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key.",
          "deprecated": true
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "aPIManagementServicesShouldUseAVirtualNetworkMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "API Management services should use a virtual network",
          "description": "Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "aPIManagementServicesShouldUseAVirtualNetworkEvaluatedSkuNames": {
        "type": "Array",
        "metadata": {
          "displayName": "API Management SKU Names",
          "description": "List of API Management SKUs against which this policy will be evaluated."
        },
        "allowedValues": [
          "Developer",
          "Basic",
          "Standard",
          "Premium",
          "Consumption"
        ],
        "defaultValue": [
          "Developer",
          "Premium"
        ]
      },
      "azureCosmosDBAccountsShouldHaveFirewallRulesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Cosmos DB accounts should have firewall rules",
          "description": "Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "networkWatcherShouldBeEnabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Network Watcher should be enabled",
          "description": "Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "networkWatcherShouldBeEnabledListOfLocations": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: List of regions where Network Watcher should be enabled",
          "description": "To see a complete list of regions, run the PowerShell command Get-AzLocation",
          "strongType": "location",
          "deprecated": true
        },
        "defaultValue": []
      },
      "networkWatcherShouldBeEnabledResourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Name of the resource group for Network Watcher",
          "description": "Name of the resource group where Network Watchers are located"
        },
        "defaultValue": "NetworkWatcherRG"
      },
      "AzureDefenderForResourceManagerShouldBeEnabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Defender for Resource Manager should be enabled",
          "description": "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center ."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "AzureDefenderForDNSShouldBeEnabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure Defender for DNS should be enabled",
          "description": "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center ."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "KubernetesClustersShouldNotUseTheDefaultNamespaceMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Kubernetes clusters should not use the default namespace",
          "description": "Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "KubernetesClustersShouldDisableAutomountingAPICredentialsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Kubernetes clusters should disable automounting API credentials",
          "description": "Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "KubernetesClustersShouldNotGrantCAPSYSADMINSecurityCapabilitiesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Kubernetes clusters should not grant CAPSYSADMIN security capabilities",
          "description": "To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "VtpmShouldBeEnabledOnSupportedVirtualMachinesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "vTPM should be enabled on supported virtual machines",
          "description": "Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "SecureBootShouldBeEnabledOnSupportedWindowsVirtualMachinesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Secure Boot should be enabled on supported Windows virtual machines",
          "description": "Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment only applies to trusted launch enabled Windows virtual machines."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "GuestAttestationExtensionShouldBeInstalledOnSupportedLinuxVirtualMachinesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Guest Attestation extension should be installed on supported Linux virtual machines",
          "description": "Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machines."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "GuestAttestationExtensionShouldBeInstalledOnSupportedLinuxVirtualMachinesScaleSetsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Guest Attestation extension should be installed on supported Linux virtual machines scale sets",
          "description": "Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machine scale sets."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "GuestAttestationExtensionShouldBeInstalledOnSupportedWindowsVirtualMachinesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Guest Attestation extension should be installed on supported Windows virtual machines",
          "description": "Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machines."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "GuestAttestationExtensionShouldBeInstalledOnSupportedWindowsVirtualMachinesScaleSetsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Guest Attestation extension should be installed on supported Windows virtual machines scale sets",
          "description": "Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machine scale sets."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "useServicePrincipalToProtectSubscriptionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414",
        "parameters": {
          "effect": {
            "value": "[parameters('useServicePrincipalToProtectSubscriptionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "resolveLogAnalyticsHealthIssuesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65",
        "parameters": {
          "effect": {
            "value": "[parameters('resolveLogAnalyticsHealthIssuesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "installLogAnalyticsAgentOnVmMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499",
        "parameters": {
          "effect": {
            "value": "[parameters('installLogAnalyticsAgentOnVmMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "installLogAnalyticsAgentOnVmssMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b",
        "parameters": {
          "effect": {
            "value": "[parameters('installLogAnalyticsAgentOnVmssMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "certificatesValidityPeriodMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560",
        "parameters": {
          "effect": {
            "value": "[parameters('certificatesValidityPeriodMonitoringEffect')]"
          },
          "maximumValidityInMonths": {
            "value": "[parameters('certificatesValidityPeriodInMonths')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-5",
          "Azure_Security_Benchmark_v2.0_IM-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "secretsExpirationSet",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37",
        "parameters": {
          "effect": {
            "value": "[parameters('secretsExpirationSetEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-5",
          "Azure_Security_Benchmark_v2.0_IM-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "keysExpirationSet",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
        "parameters": {
          "effect": {
            "value": "[parameters('keysExpirationSetEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-5",
          "Azure_Security_Benchmark_v2.0_IM-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "vmssOsVulnerabilitiesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {
          "effect": {
            "value": "[parameters('vmssOsVulnerabilitiesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "vmssEndpointProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {
          "effect": {
            "value": "[parameters('vmssEndpointProtectionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_ES-2",
          "Azure_Security_Benchmark_v2.0_ES-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {
          "effect": {
            "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "gcExtOnVMMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c",
        "parameters": {
          "effect": {
            "value": "[parameters('azurePolicyforWindowsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "gcExtOnVMWithNoSAMIMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a",
        "parameters": {
          "effect": {
            "value": "[parameters('gcExtOnVMWithNoSAMIMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "windowsDefenderExploitGuardMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40",
        "parameters": {
          "effect": {
            "value": "[parameters('windowsDefenderExploitGuardMonitoringEffect')]"
          },
          "NotAvailableMachineState": {
            "value": "Compliant"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_ES-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "windowsGuestConfigBaselinesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc",
        "parameters": {
          "effect": {
            "value": "[parameters('windowsGuestConfigBaselinesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "linuxGuestConfigBaselinesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd",
        "parameters": {
          "effect": {
            "value": "[parameters('linuxGuestConfigBaselinesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInIoTHubMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInIoTHubMonitoringEffect')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('diagnosticsLogsInIoTHubRetentionDays')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInServiceFabricMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInServiceFabricMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "disableUnrestrictedNetworkToStorageAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {
          "effect": {
            "value": "[parameters('disableUnrestrictedNetworkToStorageAccountMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "useRbacRulesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "parameters": {
          "effect": {
            "value": "[parameters('useRbacRulesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInStreamAnalyticsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInStreamAnalyticsMonitoringEffect')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('diagnosticsLogsInStreamAnalyticsRetentionDays')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "secureTransferToStorageAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {
          "effect": {
            "value": "[parameters('secureTransferToStorageAccountMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "aadAuthenticationInSqlServerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {
          "effect": {
            "value": "[parameters('aadAuthenticationInSqlServerMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInServiceBusMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInServiceBusMonitoringEffect')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('diagnosticsLogsInServiceBusRetentionDays')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "clusterProtectionLevelInServiceFabricMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68",
        "parameters": {
          "effect": {
            "value": "[parameters('clusterProtectionLevelInServiceFabricMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "aadAuthenticationInServiceFabricMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {
          "effect": {
            "value": "[parameters('aadAuthenticationInServiceFabricMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInSearchServiceMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInSearchServiceMonitoringEffect')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('diagnosticsLogsInSearchServiceRetentionDays')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInRedisCacheMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInRedisCacheMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInLogicAppsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInLogicAppsMonitoringEffect')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('diagnosticsLogsInLogicAppsRetentionDays')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInKeyVaultMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInKeyVaultMonitoringEffect')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('diagnosticsLogsInKeyVaultRetentionDays')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInEventHubMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInEventHubMonitoringEffect')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('diagnosticsLogsInEventHubRetentionDays')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInDataLakeStoreMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInDataLakeStoreMonitoringEffect')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('diagnosticsLogsInDataLakeStoreRetentionDays')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInDataLakeAnalyticsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInDataLakeAnalyticsMonitoringEffect')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('diagnosticsLogsInDataLakeAnalyticsRetentionDays')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "classicStorageAccountsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "parameters": {
          "effect": {
            "value": "[parameters('classicStorageAccountsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_AM-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "classicComputeVMsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "parameters": {
          "effect": {
            "value": "[parameters('classicComputeVMsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_AM-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInBatchAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInBatchAccountMonitoringEffect')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('diagnosticsLogsInBatchAccountRetentionDays')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "encryptionOfAutomationAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "parameters": {
          "effect": {
            "value": "[parameters('encryptionOfAutomationAccountMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlDbEncryptionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {
          "effect": {
            "value": "[parameters('sqlDbEncryptionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-2",
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlServerAuditingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {
          "effect": {
            "value": "[parameters('sqlServerAuditingMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "systemUpdatesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {
          "effect": {
            "value": "[parameters('systemUpdatesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "jitNetworkAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {
          "effect": {
            "value": "[parameters('jitNetworkAccessMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "adaptiveApplicationControlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {
          "effect": {
            "value": "[parameters('adaptiveApplicationControlsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_AM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "adaptiveApplicationControlsUpdateMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534",
        "parameters": {
          "effect": {
            "value": "[parameters('adaptiveApplicationControlsUpdateMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_AM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "networkSecurityGroupsOnSubnetsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517",
        "parameters": {
          "effect": {
            "value": "[parameters('networkSecurityGroupsOnSubnetsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "networkSecurityGroupsOnVirtualMachinesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "parameters": {
          "effect": {
            "value": "[parameters('networkSecurityGroupsOnVirtualMachinesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "networkSecurityGroupsOnInternalVirtualMachinesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6",
        "parameters": {
          "effect": {
            "value": "[parameters('networkSecurityGroupsOnInternalVirtualMachinesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "systemConfigurationsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {
          "effect": {
            "value": "[parameters('systemConfigurationsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "endpointProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {
          "effect": {
            "value": "[parameters('endpointProtectionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_ES-2",
          "Azure_Security_Benchmark_v2.0_ES-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "diskEncryptionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {
          "effect": {
            "value": "[parameters('diskEncryptionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-2",
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "serverVulnerabilityAssessment",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {
          "effect": {
            "value": "[parameters('serverVulnerabilityAssessmentEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "nextGenerationFirewallMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {
          "effect": {
            "value": "[parameters('nextGenerationFirewallMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlDbVulnerabilityAssesmentMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {
          "effect": {
            "value": "[parameters('sqlDbVulnerabilityAssesmentMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "serverSqlDbVulnerabilityAssesmentMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d",
        "parameters": {
          "effect": {
            "value": "[parameters('serverSqlDbVulnerabilityAssesmentMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlDbDataClassificationMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349",
        "parameters": {
          "effect": {
            "value": "[parameters('sqlDbDataClassificationMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityDesignateLessThanOwnersMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {
          "effect": {
            "value": "[parameters('identityDesignateLessThanOwnersMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityDesignateMoreThanOneOwnerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {
          "effect": {
            "value": "[parameters('identityDesignateMoreThanOneOwnerMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {
          "effect": {
            "value": "[parameters('identityEnableMFAForOwnerPermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {
          "effect": {
            "value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForReadPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {
          "effect": {
            "value": "[parameters('identityEnableMFAForReadPermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-1",
          "Azure_Security_Benchmark_v2.0_PA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveDeprecatedAccountMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-1",
          "Azure_Security_Benchmark_v2.0_PA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveExternalAccountWithWritePermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithReadPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveExternalAccountWithReadPermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "apiAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {
          "effect": {
            "value": "[parameters('apiAppDisableRemoteDebuggingMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {
          "effect": {
            "value": "[parameters('functionAppDisableRemoteDebuggingMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {
          "effect": {
            "value": "[parameters('webAppDisableRemoteDebuggingMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "apiAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {
          "effect": {
            "value": "[parameters('apiAppEnforceHttpsMonitoringEffectV2')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {
          "effect": {
            "value": "[parameters('functionAppEnforceHttpsMonitoringEffectV2')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {
          "effect": {
            "value": "[parameters('webAppEnforceHttpsMonitoringEffectV2')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "apiAppRestrictCORSAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "parameters": {
          "effect": {
            "value": "[parameters('apiAppRestrictCORSAccessMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppRestrictCORSAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "parameters": {
          "effect": {
            "value": "[parameters('functionAppRestrictCORSAccessMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppRestrictCORSAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {
          "effect": {
            "value": "[parameters('webAppRestrictCORSAccessMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "vnetEnableDDoSProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {
          "effect": {
            "value": "[parameters('vnetEnableDDoSProtectionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlServerAdvancedDataSecurityMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {
          "effect": {
            "value": "[parameters('sqlServerAdvancedDataSecurityMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "sqlManagedInstanceAdvancedDataSecurityMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {
          "effect": {
            "value": "[parameters('sqlManagedInstanceAdvancedDataSecurityMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-2",
          "Azure_Security_Benchmark_v2.0_DP-3",
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "kubernetesServiceRbacEnabledMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
        "parameters": {
          "effect": {
            "value": "[parameters('kubernetesServiceRbacEnabledMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PA-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "kubernetesServiceAuthorizedIPRangesEnabledMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
        "parameters": {
          "effect": {
            "value": "[parameters('kubernetesServiceAuthorizedIPRangesEnabledMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentOnServerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {
          "effect": {
            "value": "[parameters('vulnerabilityAssessmentOnServerMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentOnManagedInstanceMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {
          "effect": {
            "value": "[parameters('vulnerabilityAssessmentOnManagedInstanceMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "adaptiveNetworkHardeningsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {
          "effect": {
            "value": "[parameters('adaptiveNetworkHardeningsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "restrictAccessToManagementPortsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917",
        "parameters": {
          "effect": {
            "value": "[parameters('restrictAccessToManagementPortsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "disableIPForwardingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744",
        "parameters": {
          "effect": {
            "value": "[parameters('disableIPForwardingMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureServerTDEIsEncryptedWithYourOwnKeyMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "parameters": {
          "effect": {
            "value": "[parameters('ensureServerTDEIsEncryptedWithYourOwnKeyMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureManagedInstanceTDEIsEncryptedWithYourOwnKeyMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
        "parameters": {
          "effect": {
            "value": "[parameters('ensureManagedInstanceTDEIsEncryptedWithYourOwnKeyMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "containerBenchmarkMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
        "parameters": {
          "effect": {
            "value": "[parameters('containerBenchmarkMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ASCDependencyAgentAuditWindowsEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d",
        "parameters": {
          "effect": {
            "value": "[parameters('ASCDependencyAgentAuditWindowsEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ASCDependencyAgentAuditLinuxEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602",
        "parameters": {
          "effect": {
            "value": "[parameters('ASCDependencyAgentAuditLinuxEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "AzureFirewallEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c",
        "parameters": {
          "effect": {
            "value": "[parameters('AzureFirewallEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4",
          "Azure_Security_Benchmark_v2.0_NS-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ArcWindowsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e",
        "parameters": {
          "effect": {
            "value": "[parameters('ArcWindowsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ArcLinuxMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373",
        "parameters": {
          "effect": {
            "value": "[parameters('ArcLinuxMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "keyVaultsAdvancedDataSecurityMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047",
        "parameters": {
          "effect": {
            "value": "[parameters('keyVaultsAdvancedDataSecurityMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlServersAdvancedDataSecurityMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "parameters": {
          "effect": {
            "value": "[parameters('sqlServersAdvancedDataSecurityMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-2",
          "Azure_Security_Benchmark_v2.0_DP-3",
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlServersVirtualMachinesAdvancedDataSecurityMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b",
        "parameters": {
          "effect": {
            "value": "[parameters('sqlServersVirtualMachinesAdvancedDataSecurityMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-2",
          "Azure_Security_Benchmark_v2.0_DP-3",
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "storageAccountsAdvancedDataSecurityMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "parameters": {
          "effect": {
            "value": "[parameters('storageAccountsAdvancedDataSecurityMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-2",
          "Azure_Security_Benchmark_v2.0_DP-3",
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "appServicesAdvancedThreatProtectionMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "parameters": {
          "effect": {
            "value": "[parameters('appServicesAdvancedThreatProtectionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "containerRegistryAdvancedThreatProtectionMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "parameters": {
          "effect": {
            "value": "[parameters('containerRegistryAdvancedThreatProtectionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "kubernetesServiceAdvancedThreatProtectionMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "parameters": {
          "effect": {
            "value": "[parameters('kubernetesServiceAdvancedThreatProtectionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "virtualMachinesAdvancedThreatProtectionMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "parameters": {
          "effect": {
            "value": "[parameters('virtualMachinesAdvancedThreatProtectionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5",
          "Azure_Security_Benchmark_v2.0_ES-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "azurePolicyAddonStatus",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d",
        "parameters": {
          "effect": {
            "value": "[parameters('azurePolicyAddonStatusEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureAllowedContainerImagesInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469",
        "parameters": {
          "effect": {
            "value": "[parameters('allowedContainerImagesInKubernetesClusterEffect')]"
          },
          "allowedContainerImagesRegex": {
            "value": "[parameters('allowedContainerImagesInKubernetesClusterRegex')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('allowedContainerImagesNamespaceExclusion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "privilegedContainersShouldBeAvoided",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
        "parameters": {
          "effect": {
            "value": "[parameters('privilegedContainersShouldBeAvoidedEffect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('privilegedContainerNamespaceExclusion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "allowedContainerPortsInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc",
        "parameters": {
          "effect": {
            "value": "[parameters('allowedContainerPortsInKubernetesClusterEffect')]"
          },
          "allowedContainerPortsList": {
            "value": "[parameters('allowedContainerPortsInKubernetesClusterPorts')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('allowedContainerPortsInKubernetesClusterNamespaceExclusion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "allowedServicePortsInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44",
        "parameters": {
          "effect": {
            "value": "[parameters('allowedServicePortsInKubernetesClusterEffect')]"
          },
          "allowedServicePortsList": {
            "value": "[parameters('allowedservicePortsInKubernetesClusterPorts')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('allowedServicePortsInKubernetesClusterNamespaceExclusion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "memoryAndCPULimitsInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164",
        "parameters": {
          "effect": {
            "value": "[parameters('memoryAndCPULimitsInKubernetesClusterEffect')]"
          },
          "cpuLimit": {
            "value": "[parameters('CPUInKubernetesClusterLimit')]"
          },
          "memoryLimit": {
            "value": "[parameters('memoryInKubernetesClusterLimit')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('memoryAndCPULimitsInKubernetesClusterNamespaceExclusion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "MustRunAsNonRoot",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042",
        "parameters": {
          "effect": {
            "value": "[parameters('MustRunAsNonRootNamespaceEffect')]"
          },
          "runAsUserRule": {
            "value": "MustRunAsNonRoot"
          },
          "runAsUserRanges": {
            "value": {
              "ranges": []
            }
          },
          "runAsGroupRule": {
            "value": "MayRunAs"
          },
          "runAsGroupRanges": {
            "value": {
              "ranges": [
                {
                  "min": 1,
                  "max": 65535
                }
              ]
            }
          },
          "supplementalGroupsRule": {
            "value": "MayRunAs"
          },
          "supplementalGroupsRanges": {
            "value": {
              "ranges": [
                {
                  "min": 1,
                  "max": 65535
                }
              ]
            }
          },
          "fsGroupRule": {
            "value": "MayRunAs"
          },
          "fsGroupRanges": {
            "value": {
              "ranges": [
                {
                  "min": 1,
                  "max": 65535
                }
              ]
            }
          },
          "excludedNamespaces": {
            "value": "[parameters('MustRunAsNonRootNamespaceExclusion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "arcEnabledKubernetesClustersShouldHaveAzureDefendersExtensionInstalled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8dfab9c4-fe7b-49ad-85e4-1e9be085358f",
        "parameters": {
          "effect": {
            "value": "[parameters('arcEnabledKubernetesClustersShouldHaveAzureDefendersExtensionInstalled')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "containerRegistryVulnerabilityAssessment",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562",
        "parameters": {
          "effect": {
            "value": "[parameters('containerRegistryVulnerabilityAssessmentEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "NoPrivilegeEscalationInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
        "parameters": {
          "effect": {
            "value": "[parameters('NoPrivilegeEscalationInKubernetesClusterEffect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('NoPrivilegeEscalationInKubernetesClusterNamespaceExclusion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "NoSharingSensitiveHostNamespacesInKubernetes",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
        "parameters": {
          "effect": {
            "value": "[parameters('NoSharingSensitiveHostNamespacesInKubernetesEffect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('NoSharingSensitiveHostNamespacesInKubernetesNamespaceExclusion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ReadOnlyRootFileSystemInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80",
        "parameters": {
          "effect": {
            "value": "[parameters('ReadOnlyRootFileSystemInKubernetesClusterEffect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('ReadOnlyRootFileSystemInKubernetesClusterNamespaceExclusion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AllowedCapabilitiesInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
        "parameters": {
          "effect": {
            "value": "[parameters('AllowedCapabilitiesInKubernetesClusterEffect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('AllowedCapabilitiesInKubernetesClusterNamespaceExclusion')]"
          },
          "allowedCapabilities": {
            "value": "[parameters('AllowedCapabilitiesInKubernetesClusterList')]"
          },
          "requiredDropCapabilities": {
            "value": "[parameters('DropCapabilitiesInKubernetesClusterList')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AllowedAppArmorProfilesInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e",
        "parameters": {
          "effect": {
            "value": "[parameters('AllowedAppArmorProfilesInKubernetesClusterEffect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('AllowedAppArmorProfilesInKubernetesClusterNamespaceExclusion')]"
          },
          "allowedProfiles": {
            "value": "[parameters('AllowedAppArmorProfilesInKubernetesClusterList')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AllowedHostNetworkingAndPortsInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "parameters": {
          "effect": {
            "value": "[parameters('AllowedHostNetworkingAndPortsInKubernetesClusterEffect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('AllowedHostNetworkingAndPortsInKubernetesClusterNamespaceExclusion')]"
          },
          "allowHostNetwork": {
            "value": "[parameters('AllowHostNetworkingInKubernetesCluster')]"
          },
          "minPort": {
            "value": "[parameters('AllowedHostMinPortInKubernetesCluster')]"
          },
          "maxPort": {
            "value": "[parameters('AllowedHostMaxPortInKubernetesCluster')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AllowedHostPathVolumesInKubernetesCluster",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75",
        "parameters": {
          "effect": {
            "value": "[parameters('AllowedHostPathVolumesInKubernetesClusterEffect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('AllowedHostPathVolumesInKubernetesClusterNamespaceExclusion')]"
          },
          "allowedHostPaths": {
            "value": "[parameters('AllowedHostPathVolumesInKubernetesClusterList')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "StorageDisallowPublicAccess",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
        "parameters": {
          "effect": {
            "value": "[parameters('disallowPublicBlobAccessEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureBackupShouldBeEnabledForVirtualMachinesMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d",
        "parameters": {
          "effect": {
            "value": "[parameters('azureBackupShouldBeEnabledForVirtualMachinesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_BR-1",
          "Azure_Security_Benchmark_v2.0_BR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "managedIdentityShouldBeUsedInYourFunctionAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "parameters": {
          "effect": {
            "value": "[parameters('managedIdentityShouldBeUsedInYourFunctionAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-1",
          "Azure_Security_Benchmark_v2.0_IM-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "georedundantBackupShouldBeEnabledForAzureDatabaseForMariadbMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0",
        "parameters": {
          "effect": {
            "value": "[parameters('georedundantBackupShouldBeEnabledForAzureDatabaseForMariadbMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_BR-1",
          "Azure_Security_Benchmark_v2.0_BR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "managedIdentityShouldBeUsedInYourWebAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332",
        "parameters": {
          "effect": {
            "value": "[parameters('managedIdentityShouldBeUsedInYourWebAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-1",
          "Azure_Security_Benchmark_v2.0_IM-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "georedundantBackupShouldBeEnabledForAzureDatabaseForPostgresqlMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430",
        "parameters": {
          "effect": {
            "value": "[parameters('georedundantBackupShouldBeEnabledForAzureDatabaseForPostgresqlMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_BR-1",
          "Azure_Security_Benchmark_v2.0_BR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureWEBAppHasClientCertificatesIncomingClientCertificatesSetToOnMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "parameters": {
          "effect": {
            "value": "[parameters('ensureWEBAppHasClientCertificatesIncomingClientCertificatesSetToOnMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "georedundantBackupShouldBeEnabledForAzureDatabaseForMysqlMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970",
        "parameters": {
          "effect": {
            "value": "[parameters('georedundantBackupShouldBeEnabledForAzureDatabaseForMysqlMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_BR-1",
          "Azure_Security_Benchmark_v2.0_BR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "latestTLSVersionShouldBeUsedInYourAPIAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {
          "effect": {
            "value": "[parameters('latestTLSVersionShouldBeUsedInYourAPIAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticLogsInAppServicesShouldBeEnabledMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticLogsInAppServicesShouldBeEnabledMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "managedIdentityShouldBeUsedInYourAPIAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "parameters": {
          "effect": {
            "value": "[parameters('managedIdentityShouldBeUsedInYourAPIAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-1",
          "Azure_Security_Benchmark_v2.0_IM-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "enforceSSLConnectionShouldBeEnabledForPostgresqlDatabaseServersMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "parameters": {
          "effect": {
            "value": "[parameters('enforceSSLConnectionShouldBeEnabledForPostgresqlDatabaseServersMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "enforceSSLConnectionShouldBeEnabledForMysqlDatabaseServersMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "parameters": {
          "effect": {
            "value": "[parameters('enforceSSLConnectionShouldBeEnabledForMysqlDatabaseServersMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "latestTLSVersionShouldBeUsedInYourWebAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {
          "effect": {
            "value": "[parameters('latestTLSVersionShouldBeUsedInYourWebAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "latestTLSVersionShouldBeUsedInYourFunctionAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {
          "effect": {
            "value": "[parameters('latestTLSVersionShouldBeUsedInYourFunctionAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "parameters": {
          "effect": {
            "value": "[parameters('ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheWEBAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
        "parameters": {
          "effect": {
            "value": "[parameters('ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheWEBAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
        "parameters": {
          "effect": {
            "value": "[parameters('ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "parameters": {
          "effect": {
            "value": "[parameters('ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
        "parameters": {
          "effect": {
            "value": "[parameters('ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {
          "effect": {
            "value": "[parameters('ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {
          "effect": {
            "value": "[parameters('ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
        "parameters": {
          "effect": {
            "value": "[parameters('ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "privateEndpointShouldBeEnabledForPostgresqlServersMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b",
        "parameters": {
          "effect": {
            "value": "[parameters('privateEndpointShouldBeEnabledForPostgresqlServersMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "privateEndpointShouldBeEnabledForMariadbServersMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990",
        "parameters": {
          "effect": {
            "value": "[parameters('privateEndpointShouldBeEnabledForMariadbServersMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "privateEndpointShouldBeEnabledForMysqlServersMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49",
        "parameters": {
          "effect": {
            "value": "[parameters('privateEndpointShouldBeEnabledForMysqlServersMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "sQLServersShouldBeConfiguredWithAuditingRetentionDaysGreaterThan90DaysMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743",
        "parameters": {
          "effect": {
            "value": "[parameters('sQLServersShouldBeConfiguredWithAuditingRetentionDaysGreaterThan90DaysMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "fTPSOnlyShouldBeRequiredInYourFunctionAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15",
        "parameters": {
          "effect": {
            "value": "[parameters('fTPSOnlyShouldBeRequiredInYourFunctionAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "fTPSShouldBeRequiredInYourWebAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "parameters": {
          "effect": {
            "value": "[parameters('fTPSShouldBeRequiredInYourWebAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "fTPSOnlyShouldBeRequiredInYourAPIAppMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "parameters": {
          "effect": {
            "value": "[parameters('fTPSOnlyShouldBeRequiredInYourAPIAppMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c",
        "parameters": {
          "effect": {
            "value": "[parameters('functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "cognitiveServicesAccountsShouldEnableDataEncryptionWithACustomerManagedKeyMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d",
        "parameters": {
          "effect": {
            "value": "[parameters('cognitiveServicesAccountsShouldEnableDataEncryptionWithACustomerManagedKeyMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureCosmosDbAccountsShouldUseCustomerManagedKeysToEncryptDataAtRestMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f",
        "parameters": {
          "effect": {
            "value": "[parameters('azureCosmosDbAccountsShouldUseCustomerManagedKeysToEncryptDataAtRestMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "keyVaultsShouldHavePurgeProtectionEnabledMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "parameters": {
          "effect": {
            "value": "[parameters('keyVaultsShouldHavePurgeProtectionEnabledMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_BR-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "keyVaultsShouldHaveSoftDeleteEnabledMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
        "parameters": {
          "effect": {
            "value": "[parameters('keyVaultsShouldHaveSoftDeleteEnabledMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_BR-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureCacheForRedisShouldResideWithinAVirtualNetworkMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4",
        "parameters": {
          "effect": {
            "value": "[parameters('azureCacheForRedisShouldResideWithinAVirtualNetworkMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "storageAccountsShouldUseCustomerManagedKeyForEncryptionMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25",
        "parameters": {
          "effect": {
            "value": "[parameters('storageAccountsShouldUseCustomerManagedKeyForEncryptionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "storageAccountsShouldRestrictNetworkAccessUsingVirtualNetworkRulesMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
        "parameters": {
          "effect": {
            "value": "[parameters('storageAccountsShouldRestrictNetworkAccessUsingVirtualNetworkRulesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "containerRegistriesShouldBeEncryptedWithACustomerManagedKeyMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
        "parameters": {
          "effect": {
            "value": "[parameters('containerRegistriesShouldBeEncryptedWithACustomerManagedKeyMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "containerRegistriesShouldNotAllowUnrestrictedNetworkAccessMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71",
        "parameters": {
          "effect": {
            "value": "[parameters('containerRegistriesShouldNotAllowUnrestrictedNetworkAccessMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "containerRegistriesShouldUsePrivateLinkMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4",
        "parameters": {
          "effect": {
            "value": "[parameters('containerRegistriesShouldUsePrivateLinkMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "appConfigurationShouldUsePrivateLinkMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7",
        "parameters": {
          "effect": {
            "value": "[parameters('appConfigurationShouldUsePrivateLinkMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureEventGridDomainsShouldUsePrivateLinkMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca",
        "parameters": {
          "effect": {
            "value": "[parameters('azureEventGridDomainsShouldUsePrivateLinkMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureEventGridTopicsShouldUsePrivateLinkMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f",
        "parameters": {
          "effect": {
            "value": "[parameters('azureEventGridTopicsShouldUsePrivateLinkMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureSignalRServiceShouldUsePrivateLinkMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f",
        "parameters": {
          "effect": {
            "value": "[parameters('azureSignalRServiceShouldUsePrivateLinkMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureMachineLearningWorkspacesShouldBeEncryptedWithACustomerManagedKeyMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8",
        "parameters": {
          "effect": {
            "value": "[parameters('azureMachineLearningWorkspacesShouldBeEncryptedWithACustomerManagedKeyMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureMachineLearningWorkspacesShouldUsePrivateLinkMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab",
        "parameters": {
          "effect": {
            "value": "[parameters('azureMachineLearningWorkspacesShouldUsePrivateLinkMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "webApplicationFirewallShouldBeEnabledForAzureFrontDoorServiceServiceMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c",
        "parameters": {
          "effect": {
            "value": "[parameters('webApplicationFirewallShouldBeEnabledForAzureFrontDoorServiceServiceMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "webApplicationFirewallShouldBeEnabledForApplicationGatewayMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
        "parameters": {
          "effect": {
            "value": "[parameters('webApplicationFirewallShouldBeEnabledForApplicationGatewayMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForMariaDbServersMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
        "parameters": {
          "effect": {
            "value": "[parameters('publicNetworkAccessShouldBeDisabledForMariaDbServersMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForMySqlServersMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095",
        "parameters": {
          "effect": {
            "value": "[parameters('publicNetworkAccessShouldBeDisabledForMySqlServersMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "bringYourOwnKeyDataProtectionShouldBeEnabledForMySqlServersMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833",
        "parameters": {
          "effect": {
            "value": "[parameters('bringYourOwnKeyDataProtectionShouldBeEnabledForMySqlServersMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForPostgreSqlServersMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c",
        "parameters": {
          "effect": {
            "value": "[parameters('publicNetworkAccessShouldBeDisabledForPostgreSqlServersMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "bringYourOwnKeyDataProtectionShouldBeEnabledForPostgreSqlServersMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274",
        "parameters": {
          "effect": {
            "value": "[parameters('bringYourOwnKeyDataProtectionShouldBeEnabledForPostgreSqlServersMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "vmImageBuilderTemplatesShouldUsePrivateLinkMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa",
        "parameters": {
          "effect": {
            "value": "[parameters('vmImageBuilderTemplatesShouldUsePrivateLinkMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "firewallShouldBeEnabledOnKeyVaultMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490",
        "parameters": {
          "effect": {
            "value": "[parameters('firewallShouldBeEnabledOnKeyVaultMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "privateEndpointShouldBeConfiguredForKeyVaultMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147",
        "parameters": {
          "effect": {
            "value": "[parameters('privateEndpointShouldBeConfiguredForKeyVaultMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureSpringCloudShouldUseNetworkInjectionMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4",
        "parameters": {
          "effect": {
            "value": "[parameters('azureSpringCloudShouldUseNetworkInjectionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "subscriptionsShouldHaveAContactEmailAddressForSecurityIssuesMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "parameters": {
          "effect": {
            "value": "[parameters('subscriptionsShouldHaveAContactEmailAddressForSecurityIssuesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "autoProvisioningOfTheLogAnalyticsAgentShouldBeEnabledOnYourSubscriptionMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17",
        "parameters": {
          "effect": {
            "value": "[parameters('autoProvisioningOfTheLogAnalyticsAgentShouldBeEnabledOnYourSubscriptionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "emailNotificationForHighSeverityAlertsShouldBeEnabledMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899",
        "parameters": {
          "effect": {
            "value": "[parameters('emailNotificationForHighSeverityAlertsShouldBeEnabledMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "emailNotificationToSubscriptionOwnerForHighSeverityAlertsShouldBeEnabledMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d",
        "parameters": {
          "effect": {
            "value": "[parameters('emailNotificationToSubscriptionOwnerForHighSeverityAlertsShouldBeEnabledMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "storageAccountShouldUseAPrivateLinkConnectionMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9",
        "parameters": {
          "effect": {
            "value": "[parameters('storageAccountShouldUseAPrivateLinkConnectionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "authenticationToLinuxMachinesShouldRequireSSHKeysMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6",
        "parameters": {
          "effect": {
            "value": "[parameters('authenticationToLinuxMachinesShouldRequireSSHKeysMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_IM-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "privateEndpointConnectionsOnAzureSQLDatabaseShouldBeEnabledMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed",
        "parameters": {
          "effect": {
            "value": "[parameters('privateEndpointConnectionsOnAzureSQLDatabaseShouldBeEnabledMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-2",
          "Azure_Security_Benchmark_v2.0_NS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "publicNetworkAccessOnAzureSQLDatabaseShouldBeDisabledMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780",
        "parameters": {
          "effect": {
            "value": "[parameters('publicNetworkAccessOnAzureSQLDatabaseShouldBeDisabledMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureAPIAppHasClientCertificatesIncomingClientCertificatesSetToOnMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886",
        "parameters": {
          "effect": {
            "value": "[parameters('ensureAPIAppHasClientCertificatesIncomingClientCertificatesSetToOnMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "kubernetesClustersShouldBeAccessibleOnlyOverHTTPSMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d",
        "parameters": {
          "effect": {
            "value": "[parameters('kubernetesClustersShouldBeAccessibleOnlyOverHTTPSMonitoringEffect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('kubernetesClustersShouldBeAccessibleOnlyOverHTTPSExcludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('kubernetesClustersShouldBeAccessibleOnlyOverHTTPSNamespaces')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "effect": {
            "value": "[parameters('windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsMonitoringEffect')]"
          },
          "IncludeArcMachines": {
            "value": "[parameters('windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsIncludeArcMachines')]"
          },
          "MinimumTLSVersion": {
            "value": "[parameters('windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsMinimumTLSVersion')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_DP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "cognitiveServicesAccountsShouldRestrictNetworkAccessMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3",
        "parameters": {
          "effect": {
            "value": "[parameters('cognitiveServicesAccountsShouldRestrictNetworkAccessMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForCognitiveServicesAccountsMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca",
        "parameters": {
          "effect": {
            "value": "[parameters('publicNetworkAccessShouldBeDisabledForCognitiveServicesAccountsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "aPIManagementServicesShouldUseAVirtualNetworkMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b",
        "parameters": {
          "effect": {
            "value": "[parameters('aPIManagementServicesShouldUseAVirtualNetworkMonitoringEffect')]"
          },
          "evaluatedSkuNames": {
            "value": "[parameters('aPIManagementServicesShouldUseAVirtualNetworkEvaluatedSkuNames')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureCosmosDBAccountsShouldHaveFirewallRulesMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
        "parameters": {
          "effect": {
            "value": "[parameters('azureCosmosDBAccountsShouldHaveFirewallRulesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_NS-1",
          "Azure_Security_Benchmark_v2.0_NS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "networkWatcherShouldBeEnabledMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "parameters": {
          "effect": {
            "value": "[parameters('networkWatcherShouldBeEnabledMonitoringEffect')]"
          },
          "resourceGroupName": {
            "value": "[parameters('networkWatcherShouldBeEnabledResourceGroupName')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "AzureDefenderForResourceManagerShouldBeEnabledMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99",
        "parameters": {
          "effect": {
            "value": "[parameters('AzureDefenderForResourceManagerShouldBeEnabledMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "AzureDefenderForDNSShouldBeEnabledMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d",
        "parameters": {
          "effect": {
            "value": "[parameters('AzureDefenderForDNSShouldBeEnabledMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_LT-1",
          "Azure_Security_Benchmark_v2.0_LT-2",
          "Azure_Security_Benchmark_v2.0_IR-3",
          "Azure_Security_Benchmark_v2.0_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "KubernetesClustersShouldNotUseTheDefaultNamespaceMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373",
        "parameters": {
          "effect": {
            "value": "[parameters('KubernetesClustersShouldNotUseTheDefaultNamespaceMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "KubernetesClustersShouldDisableAutomountingAPICredentialsMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423",
        "parameters": {
          "effect": {
            "value": "[parameters('KubernetesClustersShouldDisableAutomountingAPICredentialsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "KubernetesClustersShouldNotGrantCAPSYSADMINSecurityCapabilitiesMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626",
        "parameters": {
          "effect": {
            "value": "[parameters('KubernetesClustersShouldNotGrantCAPSYSADMINSecurityCapabilitiesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "VtpmShouldBeEnabledOnSupportedVirtualMachinesMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3",
        "parameters": {
          "effect": {
            "value": "[parameters('VtpmShouldBeEnabledOnSupportedVirtualMachinesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewSecureBootShouldBeEnabledOnSupportedWindowsVirtualMachinesMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121",
        "parameters": {
          "effect": {
            "value": "[parameters('SecureBootShouldBeEnabledOnSupportedWindowsVirtualMachinesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "GuestAttestationExtensionShouldBeInstalledOnSupportedLinuxVirtualMachinesMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/672fe5a1-2fcd-42d7-b85d-902b6e28c6ff",
        "parameters": {
          "effect": {
            "value": "[parameters('GuestAttestationExtensionShouldBeInstalledOnSupportedLinuxVirtualMachinesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "GuestAttestationExtensionShouldBeInstalledOnSupportedLinuxVirtualMachinesScaleSetsMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a21f8c92-9e22-4f09-b759-50500d1d2dda",
        "parameters": {
          "effect": {
            "value": "[parameters('GuestAttestationExtensionShouldBeInstalledOnSupportedLinuxVirtualMachinesScaleSetsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "GuestAttestationExtensionShouldBeInstalledOnSupportedWindowsVirtualMachinesMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1cb4d9c2-f88f-4069-bee0-dba239a57b09",
        "parameters": {
          "effect": {
            "value": "[parameters('GuestAttestationExtensionShouldBeInstalledOnSupportedWindowsVirtualMachinesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "GuestAttestationExtensionShouldBeInstalledOnSupportedWindowsVirtualMachinesScaleSetsMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f655e522-adff-494d-95c2-52d4f6d56a42",
        "parameters": {
          "effect": {
            "value": "[parameters('GuestAttestationExtensionShouldBeInstalledOnSupportedWindowsVirtualMachinesScaleSetsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "Azure_Security_Benchmark_v2.0_PV-3"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "Azure_Security_Benchmark_v2.0_NS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_NS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_NS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_NS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_NS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_NS-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_NS-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-7"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-7"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IM-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-8"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-7"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-8"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_DP-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_DP-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_DP-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_DP-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_DP-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_AM-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_AM-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_AM-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_AM-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_AM-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_AM-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_LT-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_LT-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_LT-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_LT-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_LT-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_LT-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_LT-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-7"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IR-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IR-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IR-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IR-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IR-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_IR-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-7"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_PV-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-8"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_ES-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_ES-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_ES-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_ES-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_ES-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_ES-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_BR-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_BR-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_BR-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_BR-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-1"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-2"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-3"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-4"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-5"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-6"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-7"
      },
      {
        "name": "Azure_Security_Benchmark_v2.0_GS-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-8"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
}
BuiltIn Security Center False False n/a n/a true 1 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring (ASC-Monitoring)
{
  "properties": {
    "displayName": "Canada Federal PBMM",
    "policyType": "BuiltIn",
    "description": "This initiative includes audit and virtual machine extension deployment policies that address a subset of Canada Federal PBMM controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/canadafederalpbmm-blueprint.",
    "metadata": {
      "version": "5.0.1",
      "category": "Regulatory Compliance"
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers for Guest Configuration policies",
          "description": "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "logAnalyticsWorkspaceIdforVMReporting": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics Workspace Id that VMs should be configured for",
          "description": "This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured for."
        }
      },
      "listOfResourceTypesWithDiagnosticLogsEnabled": {
        "type": "Array",
        "metadata": {
          "displayName": "List of resource types that should have resource logs enabled"
        },
        "allowedValues": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ],
        "defaultValue": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ]
      },
      "listOfMembersToExcludeFromWindowsVMAdministratorsGroup": {
        "type": "String",
        "metadata": {
          "displayName": "Members to exclude",
          "description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      },
      "listOfMembersToIncludeInWindowsVMAdministratorsGroup": {
        "type": "String",
        "metadata": {
          "displayName": "Members to include",
          "description": "A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "MfaShouldBeEnabledOnAccountsWithOwnerPermissionsOnYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {},
        "groupNames": [
          "CCCS_IA-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "MfaShouldBeEnabledAccountsWithWritePermissionsOnYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {},
        "groupNames": [
          "CCCS_IA-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "SystemUpdatesOnVirtualMachineScaleSetsShouldBeInstalled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {},
        "groupNames": [
          "CCCS_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "CorsShouldNotAllowEveryResourceToAccessYourWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "DeprecatedAccountsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "DeprecatedAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ExternalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ExternalAccountsWithReadPermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {},
        "groupNames": [
          "CCCS_SC-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ExternalAccountsWithWritePermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "FunctionAppShouldOnlyBeAccessibleOverHttps",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {},
        "groupNames": [
          "CCCS_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "WebApplicationShouldOnlyBeAccessibleOverHttps",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {},
        "groupNames": [
          "CCCS_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ApiAppShouldOnlyBeAccessibleOverHttps",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {},
        "groupNames": [
          "CCCS_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLogAnalyticsAgentDeploymentVmImageOsUnlisted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50",
        "parameters": {},
        "groupNames": [
          "CCCS_AU-3",
          "CCCS_AU-12",
          "CCCS_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLogAnalyticsAgentDeploymentInVmssVmImageOsUnlisted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138",
        "parameters": {},
        "groupNames": [
          "CCCS_AU-3",
          "CCCS_AU-12",
          "CCCS_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLogAnalyticsWorkspaceForVmReportMismatch",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917",
        "parameters": {
          "logAnalyticsWorkspaceId": {
            "value": "[parameters('logAnalyticsWorkspaceIdforVMreporting')]"
          }
        },
        "groupNames": [
          "CCCS_AU-3",
          "CCCS_AU-12",
          "CCCS_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "AMaximumOf3OwnersShouldBeDesignatedForYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-5",
          "CCCS_AC-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ThereShouldBeMoreThanOneOwnerAssignedToYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-5",
          "CCCS_AC-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "VulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {},
        "groupNames": [
          "CCCS_RA-5",
          "CCCS_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "RemoteDebuggingShouldBeTurnedOffForFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "RemoteDebuggingShouldBeTurnedOffForWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "RemoteDebuggingShouldBeTurnedOffForApiApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "DDoSProtectionStandardShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {},
        "groupNames": [
          "CCCS_SC-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-5",
          "CCCS_AC-6",
          "CCCS_AC-17(1)",
          "CCCS_IA-5",
          "CCCS_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-5",
          "CCCS_AC-6",
          "CCCS_AC-17(1)",
          "CCCS_IA-5",
          "CCCS_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-5",
          "CCCS_AC-6",
          "CCCS_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-17(1)",
          "CCCS_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "EndpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {},
        "groupNames": [
          "CCCS_SI-3",
          "CCCS_SI-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "CCCS_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVMsThatHaveAccountsWithoutPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "CCCS_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "CCCS_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "CCCS_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ceb8dc2-559c-478b-a15b-733fbf1e3738",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "CCCS_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237b38db-ca4d-4259-9e47-7882441ca2c0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "CCCS_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "CCCS_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "CCCS_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "NetworkSecurityGroupRulesForInternetFacingVirtualMachinesShouldBeHardened",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {},
        "groupNames": [
          "CCCS_SC-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "MonitorMissingEndpointProtectionInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {},
        "groupNames": [
          "CCCS_SI-3",
          "CCCS_SI-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "SystemUpdatesShouldBeInstalledOnYourMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {},
        "groupNames": [
          "CCCS_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "VulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {},
        "groupNames": [
          "CCCS_RA-5",
          "CCCS_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AdaptiveApplicationControlsShouldBeEnabledOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {},
        "groupNames": [
          "CCCS_CM-7(5)",
          "CCCS_CM-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "JustInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {},
        "groupNames": [
          "CCCS_SC-7(3)",
          "CCCS_SC-7(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "VulnerabilitiesOnYourSqlDatabasesShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {},
        "groupNames": [
          "CCCS_RA-5",
          "CCCS_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "DiskEncryptionShouldBeAppliedOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {},
        "groupNames": [
          "CCCS_SC-28"
        ]
      },
      {
        "policyDefinitionReferenceId": "aVulnerabilityAssessmentSolutionShouldBeEnabledOnYourVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {},
        "groupNames": [
          "CCCS_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditDiagnosticSetting",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
        "parameters": {
          "listOfResourceTypes": {
            "value": "[parameters('listOfResourceTypesWithDiagnosticLogsEnabled')]"
          }
        },
        "groupNames": [
          "CCCS_AU-5",
          "CCCS_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "OnlySecureConnectionsToYourRedisCacheShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {},
        "groupNames": [
          "CCCS_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "AnAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-2(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "SecureTransferToStorageAccountsShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {},
        "groupNames": [
          "CCCS_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "AdvancedDataSecurityShouldBeEnabledOnYourManagedInstances",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {},
        "groupNames": [
          "CCCS_AU-5",
          "CCCS_AU-12",
          "CCCS_RA-5",
          "CCCS_SC-28",
          "CCCS_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSqlServerLevelAuditingSettings",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {},
        "groupNames": [
          "CCCS_AU-5",
          "CCCS_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "AdvancedDataSecurityShouldBeEnabledOnYourSqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {},
        "groupNames": [
          "CCCS_AU-5",
          "CCCS_AU-12",
          "CCCS_RA-5",
          "CCCS_SC-28",
          "CCCS_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "TransparentDataEncryptionOnSqlDatabasesShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {},
        "groupNames": [
          "CCCS_SC-28"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUnrestrictedNetworkAccessToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-17(1)",
          "CCCS_SC-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ServiceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {},
        "groupNames": [
          "CCCS_AC-2(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditVirtualMachinesWithoutDisasterRecoveryConfigured",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "parameters": {},
        "groupNames": [
          "CCCS_CP-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MembersToExclude": {
            "value": "[parameters('listOfMembersToExcludeFromWindowsVMAdministratorsGroup')]"
          }
        },
        "groupNames": [
          "CCCS_AC-5",
          "CCCS_AC-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "AdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MembersToInclude": {
            "value": "[parameters('listOfMembersToIncludeInWindowsVMAdministratorsGroup')]"
          }
        },
        "groupNames": [
          "CCCS_AC-5",
          "CCCS_AC-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "CCCS_SC-8(1)"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "CCCS_AC-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-1"
      },
      {
        "name": "CCCS_AC-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-2"
      },
      {
        "name": "CCCS_AC-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-2(1)"
      },
      {
        "name": "CCCS_AC-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-2(2)"
      },
      {
        "name": "CCCS_AC-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-2(3)"
      },
      {
        "name": "CCCS_AC-2(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-2(4)"
      },
      {
        "name": "CCCS_AC-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-2(5)"
      },
      {
        "name": "CCCS_AC-2(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-2(7)"
      },
      {
        "name": "CCCS_AC-2(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-2(9)"
      },
      {
        "name": "CCCS_AC-2(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-2(10)"
      },
      {
        "name": "CCCS_AC-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-3"
      },
      {
        "name": "CCCS_AC-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-4"
      },
      {
        "name": "CCCS_AC-4(21)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-4(21)"
      },
      {
        "name": "CCCS_AC-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-5"
      },
      {
        "name": "CCCS_AC-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-6"
      },
      {
        "name": "CCCS_AC-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-6(1)"
      },
      {
        "name": "CCCS_AC-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-6(2)"
      },
      {
        "name": "CCCS_AC-6(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-6(5)"
      },
      {
        "name": "CCCS_AC-6(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-6(9)"
      },
      {
        "name": "CCCS_AC-6(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-6(10)"
      },
      {
        "name": "CCCS_AC-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-7"
      },
      {
        "name": "CCCS_AC-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-8"
      },
      {
        "name": "CCCS_AC-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-10"
      },
      {
        "name": "CCCS_AC-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-11"
      },
      {
        "name": "CCCS_AC-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-11(1)"
      },
      {
        "name": "CCCS_AC-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-12"
      },
      {
        "name": "CCCS_AC-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-14"
      },
      {
        "name": "CCCS_AC-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-17"
      },
      {
        "name": "CCCS_AC-17(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-17(1)"
      },
      {
        "name": "CCCS_AC-17(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-17(2)"
      },
      {
        "name": "CCCS_AC-17(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-17(3)"
      },
      {
        "name": "CCCS_AC-17(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-17(4)"
      },
      {
        "name": "CCCS_AC-17(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-17(9)"
      },
      {
        "name": "CCCS_AC-17(100)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-17(100)"
      },
      {
        "name": "CCCS_AC-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-18"
      },
      {
        "name": "CCCS_AC-18(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-18(1)"
      },
      {
        "name": "CCCS_AC-18(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-18(4)"
      },
      {
        "name": "CCCS_AC-19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-19"
      },
      {
        "name": "CCCS_AC-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-20"
      },
      {
        "name": "CCCS_AC-20(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-20(1)"
      },
      {
        "name": "CCCS_AC-20(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-20(2)"
      },
      {
        "name": "CCCS_AC-21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-21"
      },
      {
        "name": "CCCS_AC-22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AC-22"
      },
      {
        "name": "CCCS_AT-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AT-1"
      },
      {
        "name": "CCCS_AT-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AT-2"
      },
      {
        "name": "CCCS_AT-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AT-2(2)"
      },
      {
        "name": "CCCS_AT-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AT-3"
      },
      {
        "name": "CCCS_AT-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AT-4"
      },
      {
        "name": "CCCS_AU-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-1"
      },
      {
        "name": "CCCS_AU-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-2"
      },
      {
        "name": "CCCS_AU-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-2(3)"
      },
      {
        "name": "CCCS_AU-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-3"
      },
      {
        "name": "CCCS_AU-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-3(1)"
      },
      {
        "name": "CCCS_AU-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-5"
      },
      {
        "name": "CCCS_AU-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-6"
      },
      {
        "name": "CCCS_AU-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-6(1)"
      },
      {
        "name": "CCCS_AU-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-6(3)"
      },
      {
        "name": "CCCS_AU-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-7"
      },
      {
        "name": "CCCS_AU-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-7(1)"
      },
      {
        "name": "CCCS_AU-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-8"
      },
      {
        "name": "CCCS_AU-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-8(1)"
      },
      {
        "name": "CCCS_AU-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-9"
      },
      {
        "name": "CCCS_AU-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-9(2)"
      },
      {
        "name": "CCCS_AU-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-9(4)"
      },
      {
        "name": "CCCS_AU-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-11"
      },
      {
        "name": "CCCS_AU-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_AU-12"
      },
      {
        "name": "CCCS_CA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CA-1"
      },
      {
        "name": "CCCS_CA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CA-2"
      },
      {
        "name": "CCCS_CA-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CA-2(1)"
      },
      {
        "name": "CCCS_CA-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CA-2(2)"
      },
      {
        "name": "CCCS_CA-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CA-2(3)"
      },
      {
        "name": "CCCS_CA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CA-3"
      },
      {
        "name": "CCCS_CA-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CA-3(3)"
      },
      {
        "name": "CCCS_CA-3(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CA-3(5)"
      },
      {
        "name": "CCCS_CA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CA-5"
      },
      {
        "name": "CCCS_CA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CA-6"
      },
      {
        "name": "CCCS_CA-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CA-7"
      },
      {
        "name": "CCCS_CA-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CA-7(1)"
      },
      {
        "name": "CCCS_CA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CA-8"
      },
      {
        "name": "CCCS_CA-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CA-8(1)"
      },
      {
        "name": "CCCS_CA-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CA-9"
      },
      {
        "name": "CCCS_CM-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-1"
      },
      {
        "name": "CCCS_CM-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-2"
      },
      {
        "name": "CCCS_CM-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-2(1)"
      },
      {
        "name": "CCCS_CM-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-2(2)"
      },
      {
        "name": "CCCS_CM-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-2(3)"
      },
      {
        "name": "CCCS_CM-2(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-2(7)"
      },
      {
        "name": "CCCS_CM-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-3"
      },
      {
        "name": "CCCS_CM-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-3(4)"
      },
      {
        "name": "CCCS_CM-3(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-3(6)"
      },
      {
        "name": "CCCS_CM-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-4"
      },
      {
        "name": "CCCS_CM-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-5"
      },
      {
        "name": "CCCS_CM-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-5(1)"
      },
      {
        "name": "CCCS_CM-5(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-5(5)"
      },
      {
        "name": "CCCS_CM-5(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-5(6)"
      },
      {
        "name": "CCCS_CM-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-6"
      },
      {
        "name": "CCCS_CM-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-6(1)"
      },
      {
        "name": "CCCS_CM-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-6(2)"
      },
      {
        "name": "CCCS_CM-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-7"
      },
      {
        "name": "CCCS_CM-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-7(1)"
      },
      {
        "name": "CCCS_CM-7(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-7(5)"
      },
      {
        "name": "CCCS_CM-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-8"
      },
      {
        "name": "CCCS_CM-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-8(1)"
      },
      {
        "name": "CCCS_CM-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-8(2)"
      },
      {
        "name": "CCCS_CM-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-8(3)"
      },
      {
        "name": "CCCS_CM-8(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-8(5)"
      },
      {
        "name": "CCCS_CM-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-9"
      },
      {
        "name": "CCCS_CM-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-10"
      },
      {
        "name": "CCCS_CM-10(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-10(1)"
      },
      {
        "name": "CCCS_CM-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CM-11"
      },
      {
        "name": "CCCS_CP-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-1"
      },
      {
        "name": "CCCS_CP-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-2"
      },
      {
        "name": "CCCS_CP-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-2(1)"
      },
      {
        "name": "CCCS_CP-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-2(2)"
      },
      {
        "name": "CCCS_CP-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-2(3)"
      },
      {
        "name": "CCCS_CP-2(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-2(4)"
      },
      {
        "name": "CCCS_CP-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-2(5)"
      },
      {
        "name": "CCCS_CP-2(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-2(6)"
      },
      {
        "name": "CCCS_CP-2(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-2(8)"
      },
      {
        "name": "CCCS_CP-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-3"
      },
      {
        "name": "CCCS_CP-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-4"
      },
      {
        "name": "CCCS_CP-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-4(1)"
      },
      {
        "name": "CCCS_CP-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-4(2)"
      },
      {
        "name": "CCCS_CP-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-6"
      },
      {
        "name": "CCCS_CP-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-6(1)"
      },
      {
        "name": "CCCS_CP-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-6(2)"
      },
      {
        "name": "CCCS_CP-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-6(3)"
      },
      {
        "name": "CCCS_CP-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-7"
      },
      {
        "name": "CCCS_CP-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-7(1)"
      },
      {
        "name": "CCCS_CP-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-7(2)"
      },
      {
        "name": "CCCS_CP-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-7(3)"
      },
      {
        "name": "CCCS_CP-7(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-7(4)"
      },
      {
        "name": "CCCS_CP-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-8"
      },
      {
        "name": "CCCS_CP-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-8(1)"
      },
      {
        "name": "CCCS_CP-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-8(2)"
      },
      {
        "name": "CCCS_CP-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-8(3)"
      },
      {
        "name": "CCCS_CP-8(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-8(5)"
      },
      {
        "name": "CCCS_CP-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-9"
      },
      {
        "name": "CCCS_CP-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-9(1)"
      },
      {
        "name": "CCCS_CP-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-9(2)"
      },
      {
        "name": "CCCS_CP-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-9(3)"
      },
      {
        "name": "CCCS_CP-9(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-9(5)"
      },
      {
        "name": "CCCS_CP-9(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-9(7)"
      },
      {
        "name": "CCCS_CP-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-10"
      },
      {
        "name": "CCCS_CP-10(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-10(2)"
      },
      {
        "name": "CCCS_CP-10(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_CP-10(4)"
      },
      {
        "name": "CCCS_IA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-1"
      },
      {
        "name": "CCCS_IA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-2"
      },
      {
        "name": "CCCS_IA-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-2(1)"
      },
      {
        "name": "CCCS_IA-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-2(3)"
      },
      {
        "name": "CCCS_IA-2(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-2(6)"
      },
      {
        "name": "CCCS_IA-2(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-2(8)"
      },
      {
        "name": "CCCS_IA-2(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-2(11)"
      },
      {
        "name": "CCCS_IA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-3"
      },
      {
        "name": "CCCS_IA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-4"
      },
      {
        "name": "CCCS_IA-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-4(2)"
      },
      {
        "name": "CCCS_IA-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-4(3)"
      },
      {
        "name": "CCCS_IA-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-4(4)"
      },
      {
        "name": "CCCS_IA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-5"
      },
      {
        "name": "CCCS_IA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-5(1)"
      },
      {
        "name": "CCCS_IA-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-5(2)"
      },
      {
        "name": "CCCS_IA-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-5(3)"
      },
      {
        "name": "CCCS_IA-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-5(4)"
      },
      {
        "name": "CCCS_IA-5(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-5(6)"
      },
      {
        "name": "CCCS_IA-5(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-5(7)"
      },
      {
        "name": "CCCS_IA-5(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-5(8)"
      },
      {
        "name": "CCCS_IA-5(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-5(11)"
      },
      {
        "name": "CCCS_IA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-6"
      },
      {
        "name": "CCCS_IA-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-7"
      },
      {
        "name": "CCCS_IA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IA-8"
      },
      {
        "name": "CCCS_IR-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-1"
      },
      {
        "name": "CCCS_IR-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-2"
      },
      {
        "name": "CCCS_IR-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-3"
      },
      {
        "name": "CCCS_IR-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-3(2)"
      },
      {
        "name": "CCCS_IR-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-4"
      },
      {
        "name": "CCCS_IR-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-4(1)"
      },
      {
        "name": "CCCS_IR-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-4(3)"
      },
      {
        "name": "CCCS_IR-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-5"
      },
      {
        "name": "CCCS_IR-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-6"
      },
      {
        "name": "CCCS_IR-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-6(1)"
      },
      {
        "name": "CCCS_IR-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-7"
      },
      {
        "name": "CCCS_IR-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-7(1)"
      },
      {
        "name": "CCCS_IR-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-7(2)"
      },
      {
        "name": "CCCS_IR-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-8"
      },
      {
        "name": "CCCS_IR-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-9"
      },
      {
        "name": "CCCS_IR-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-9(1)"
      },
      {
        "name": "CCCS_IR-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-9(2)"
      },
      {
        "name": "CCCS_IR-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-9(3)"
      },
      {
        "name": "CCCS_IR-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_IR-9(4)"
      },
      {
        "name": "CCCS_MA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MA-1"
      },
      {
        "name": "CCCS_MA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MA-2"
      },
      {
        "name": "CCCS_MA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MA-3"
      },
      {
        "name": "CCCS_MA-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MA-3(1)"
      },
      {
        "name": "CCCS_MA-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MA-3(2)"
      },
      {
        "name": "CCCS_MA-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MA-3(3)"
      },
      {
        "name": "CCCS_MA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MA-4"
      },
      {
        "name": "CCCS_MA-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MA-4(1)"
      },
      {
        "name": "CCCS_MA-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MA-4(2)"
      },
      {
        "name": "CCCS_MA-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MA-4(3)"
      },
      {
        "name": "CCCS_MA-4(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MA-4(6)"
      },
      {
        "name": "CCCS_MA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MA-5"
      },
      {
        "name": "CCCS_MA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MA-5(1)"
      },
      {
        "name": "CCCS_MA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MA-6"
      },
      {
        "name": "CCCS_MP-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MP-1"
      },
      {
        "name": "CCCS_MP-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MP-2"
      },
      {
        "name": "CCCS_MP-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MP-3"
      },
      {
        "name": "CCCS_MP-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MP-4"
      },
      {
        "name": "CCCS_MP-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MP-5"
      },
      {
        "name": "CCCS_MP-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MP-5(4)"
      },
      {
        "name": "CCCS_MP-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MP-6"
      },
      {
        "name": "CCCS_MP-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MP-6(1)"
      },
      {
        "name": "CCCS_MP-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MP-6(2)"
      },
      {
        "name": "CCCS_MP-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MP-6(3)"
      },
      {
        "name": "CCCS_MP-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MP-7"
      },
      {
        "name": "CCCS_MP-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MP-7(1)"
      },
      {
        "name": "CCCS_MP-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MP-8"
      },
      {
        "name": "CCCS_MP-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_MP-8(1)"
      },
      {
        "name": "CCCS_PE-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-1"
      },
      {
        "name": "CCCS_PE-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-2"
      },
      {
        "name": "CCCS_PE-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-3"
      },
      {
        "name": "CCCS_PE-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-3(1)"
      },
      {
        "name": "CCCS_PE-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-4"
      },
      {
        "name": "CCCS_PE-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-5"
      },
      {
        "name": "CCCS_PE-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-6"
      },
      {
        "name": "CCCS_PE-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-6(1)"
      },
      {
        "name": "CCCS_PE-6(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-6(4)"
      },
      {
        "name": "CCCS_PE-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-8"
      },
      {
        "name": "CCCS_PE-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-9"
      },
      {
        "name": "CCCS_PE-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-10"
      },
      {
        "name": "CCCS_PE-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-11"
      },
      {
        "name": "CCCS_PE-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-12"
      },
      {
        "name": "CCCS_PE-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-13"
      },
      {
        "name": "CCCS_PE-13(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-13(2)"
      },
      {
        "name": "CCCS_PE-13(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-13(3)"
      },
      {
        "name": "CCCS_PE-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-14"
      },
      {
        "name": "CCCS_PE-14(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-14(2)"
      },
      {
        "name": "CCCS_PE-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-15"
      },
      {
        "name": "CCCS_PE-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-16"
      },
      {
        "name": "CCCS_PE-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PE-17"
      },
      {
        "name": "CCCS_PL-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PL-1"
      },
      {
        "name": "CCCS_PL-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PL-2"
      },
      {
        "name": "CCCS_PL-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PL-2(3)"
      },
      {
        "name": "CCCS_PL-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PL-4"
      },
      {
        "name": "CCCS_PL-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PL-4(1)"
      },
      {
        "name": "CCCS_PL-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PL-8"
      },
      {
        "name": "CCCS_PS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PS-1"
      },
      {
        "name": "CCCS_PS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PS-2"
      },
      {
        "name": "CCCS_PS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PS-3"
      },
      {
        "name": "CCCS_PS-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PS-3(3)"
      },
      {
        "name": "CCCS_PS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PS-4"
      },
      {
        "name": "CCCS_PS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PS-5"
      },
      {
        "name": "CCCS_PS-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PS-6"
      },
      {
        "name": "CCCS_PS-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PS-7"
      },
      {
        "name": "CCCS_PS-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_PS-8"
      },
      {
        "name": "CCCS_RA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_RA-1"
      },
      {
        "name": "CCCS_RA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_RA-2"
      },
      {
        "name": "CCCS_RA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_RA-3"
      },
      {
        "name": "CCCS_RA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_RA-5"
      },
      {
        "name": "CCCS_RA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_RA-5(1)"
      },
      {
        "name": "CCCS_RA-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_RA-5(2)"
      },
      {
        "name": "CCCS_RA-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_RA-5(3)"
      },
      {
        "name": "CCCS_RA-5(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_RA-5(5)"
      },
      {
        "name": "CCCS_RA-5(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_RA-5(6)"
      },
      {
        "name": "CCCS_RA-5(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_RA-5(8)"
      },
      {
        "name": "CCCS_SA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-1"
      },
      {
        "name": "CCCS_SA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-2"
      },
      {
        "name": "CCCS_SA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-3"
      },
      {
        "name": "CCCS_SA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-4"
      },
      {
        "name": "CCCS_SA-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-4(1)"
      },
      {
        "name": "CCCS_SA-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-4(2)"
      },
      {
        "name": "CCCS_SA-4(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-4(8)"
      },
      {
        "name": "CCCS_SA-4(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-4(9)"
      },
      {
        "name": "CCCS_SA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-5"
      },
      {
        "name": "CCCS_SA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-8"
      },
      {
        "name": "CCCS_SA-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-9"
      },
      {
        "name": "CCCS_SA-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-9(1)"
      },
      {
        "name": "CCCS_SA-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-9(2)"
      },
      {
        "name": "CCCS_SA-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-9(4)"
      },
      {
        "name": "CCCS_SA-9(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-9(5)"
      },
      {
        "name": "CCCS_SA-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-10"
      },
      {
        "name": "CCCS_SA-10(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-10(1)"
      },
      {
        "name": "CCCS_SA-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-11"
      },
      {
        "name": "CCCS_SA-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-11(1)"
      },
      {
        "name": "CCCS_SA-11(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-11(2)"
      },
      {
        "name": "CCCS_SA-11(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-11(8)"
      },
      {
        "name": "CCCS_SA-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SA-15"
      },
      {
        "name": "CCCS_SC-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-1"
      },
      {
        "name": "CCCS_SC-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-2"
      },
      {
        "name": "CCCS_SC-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-4"
      },
      {
        "name": "CCCS_SC-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-5"
      },
      {
        "name": "CCCS_SC-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-6"
      },
      {
        "name": "CCCS_SC-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-7"
      },
      {
        "name": "CCCS_SC-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-7(3)"
      },
      {
        "name": "CCCS_SC-7(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-7(4)"
      },
      {
        "name": "CCCS_SC-7(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-7(5)"
      },
      {
        "name": "CCCS_SC-7(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-7(7)"
      },
      {
        "name": "CCCS_SC-7(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-7(8)"
      },
      {
        "name": "CCCS_SC-7(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-7(12)"
      },
      {
        "name": "CCCS_SC-7(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-7(13)"
      },
      {
        "name": "CCCS_SC-7(18)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-7(18)"
      },
      {
        "name": "CCCS_SC-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-8"
      },
      {
        "name": "CCCS_SC-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-8(1)"
      },
      {
        "name": "CCCS_SC-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-10"
      },
      {
        "name": "CCCS_SC-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-12"
      },
      {
        "name": "CCCS_SC-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-12(1)"
      },
      {
        "name": "CCCS_SC-12(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-12(2)"
      },
      {
        "name": "CCCS_SC-12(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-12(3)"
      },
      {
        "name": "CCCS_SC-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-13"
      },
      {
        "name": "CCCS_SC-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-15"
      },
      {
        "name": "CCCS_SC-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-17"
      },
      {
        "name": "CCCS_SC-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-18"
      },
      {
        "name": "CCCS_SC-18(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-18(3)"
      },
      {
        "name": "CCCS_SC-18(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-18(4)"
      },
      {
        "name": "CCCS_SC-19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-19"
      },
      {
        "name": "CCCS_SC-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-20"
      },
      {
        "name": "CCCS_SC-21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-21"
      },
      {
        "name": "CCCS_SC-22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-22"
      },
      {
        "name": "CCCS_SC-23",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-23"
      },
      {
        "name": "CCCS_SC-23(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-23(1)"
      },
      {
        "name": "CCCS_SC-28",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-28"
      },
      {
        "name": "CCCS_SC-28(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-28(1)"
      },
      {
        "name": "CCCS_SC-39",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SC-39"
      },
      {
        "name": "CCCS_SI-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-1"
      },
      {
        "name": "CCCS_SI-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-2"
      },
      {
        "name": "CCCS_SI-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-2(2)"
      },
      {
        "name": "CCCS_SI-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-2(3)"
      },
      {
        "name": "CCCS_SI-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-3"
      },
      {
        "name": "CCCS_SI-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-3(1)"
      },
      {
        "name": "CCCS_SI-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-3(2)"
      },
      {
        "name": "CCCS_SI-3(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-3(7)"
      },
      {
        "name": "CCCS_SI-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-4"
      },
      {
        "name": "CCCS_SI-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-4(1)"
      },
      {
        "name": "CCCS_SI-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-4(2)"
      },
      {
        "name": "CCCS_SI-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-4(4)"
      },
      {
        "name": "CCCS_SI-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-4(5)"
      },
      {
        "name": "CCCS_SI-4(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-4(7)"
      },
      {
        "name": "CCCS_SI-4(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-4(11)"
      },
      {
        "name": "CCCS_SI-4(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-4(14)"
      },
      {
        "name": "CCCS_SI-4(16)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-4(16)"
      },
      {
        "name": "CCCS_SI-4(20)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-4(20)"
      },
      {
        "name": "CCCS_SI-4(23)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-4(23)"
      },
      {
        "name": "CCCS_SI-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-5"
      },
      {
        "name": "CCCS_SI-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-6"
      },
      {
        "name": "CCCS_SI-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-7"
      },
      {
        "name": "CCCS_SI-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-7(1)"
      },
      {
        "name": "CCCS_SI-7(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-7(7)"
      },
      {
        "name": "CCCS_SI-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-8"
      },
      {
        "name": "CCCS_SI-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-8(1)"
      },
      {
        "name": "CCCS_SI-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-8(2)"
      },
      {
        "name": "CCCS_SI-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-10"
      },
      {
        "name": "CCCS_SI-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-11"
      },
      {
        "name": "CCCS_SI-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-12"
      },
      {
        "name": "CCCS_SI-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CCCS_SI-16"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "4c4a5f27-de81-430b-b4e5-9cbd50595a87"
}
BuiltIn Regulatory Compliance False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "CIS Microsoft Azure Foundations Benchmark v1.1.0",
    "policyType": "BuiltIn",
    "description": "This initiative includes policies that address a subset of CIS Microsoft Azure Foundations Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cisazure110-initiative.",
    "metadata": {
      "version": "10.1.0",
      "category": "Regulatory Compliance"
    },
    "parameters": {
      "listOfRegionsWhereNetworkWatcherShouldBeEnabled": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: List of regions where Network Watcher should be enabled",
          "description": "To see a complete list of regions use Get-AzLocation",
          "strongType": "location",
          "deprecated": true
        },
        "defaultValue": [
          "eastus"
        ]
      },
      "NetworkWatcherResourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "NetworkWatcher resource group name",
          "description": "Name of the resource group of NetworkWatcher, such as NetworkWatcherRG"
        },
        "defaultValue": "NetworkWatcherRG"
      },
      "listOfApprovedVMExtensions": {
        "type": "Array",
        "metadata": {
          "displayName": "List of virtual machine extensions that are approved for use",
          "description": "A semicolon-separated list of virtual machine extensions; to see a complete list of extensions, use Get-AzVMExtensionImage"
        },
        "defaultValue": [
          "AzureDiskEncryption",
          "AzureDiskEncryptionForLinux",
          "DependencyAgentWindows",
          "DependencyAgentLinux",
          "IaaSAntimalware",
          "IaaSDiagnostics",
          "LinuxDiagnostic",
          "MicrosoftMonitoringAgent",
          "NetworkWatcherAgentLinux",
          "NetworkWatcherAgentWindows",
          "OmsAgentForLinux",
          "VMSnapshot",
          "VMSnapshotLinux"
        ]
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "CISv110x1x1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x1x1m",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x1x2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x1x3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x1x3m",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x1x3mm",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x1x23",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_1.23"
        ]
      },
      {
        "policyDefinitionReferenceId": "4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "6581d072-105e-4418-827f-bd446d56421b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e6763cc-5078-4e64-889d-ff4d9a839047",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x3CISv110x7x5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.3",
          "CIS_Azure_1.1.0_7.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x5CISv110x7x6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.5",
          "CIS_Azure_1.1.0_7.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x6CISv110x7x1CISv110x7x2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.6",
          "CIS_Azure_1.1.0_7.1",
          "CIS_Azure_1.1.0_7.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x9m",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x10",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x12",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.12"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x13",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.13"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x14CISv110x4x1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.14",
          "CIS_Azure_1.1.0_4.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x15CISv110x4x9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.15",
          "CIS_Azure_1.1.0_4.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x16",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.16"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x18",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.18"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x2x19",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_2.19"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x3x1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_3.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x3x6CISv110x5x1x5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_3.6",
          "CIS_Azure_1.1.0_5.1.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x3x7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_3.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x3x8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_3.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x4x2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_4.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x4x3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_4.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x4x4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x4x4m",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x4x8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_4.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x4x10",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_4.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x4x10m",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_4.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x4x11",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_4.11"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x4x12",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_4.12"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x4x13",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_4.13"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x4x14",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_4.14"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x4x15",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_4.15"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x4x17",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_4.17"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x1x1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_5.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x1x2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_5.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x1x3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_5.1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x1x4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_5.1.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x1x6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_5.1.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x1x7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_5.1.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x2x1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858",
        "parameters": {
          "operationName": {
            "value": "Microsoft.Authorization/policyAssignments/write"
          }
        },
        "groupNames": [
          "CIS_Azure_1.1.0_5.2.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x2x2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "operationName": {
            "value": "Microsoft.Network/networkSecurityGroups/write"
          }
        },
        "groupNames": [
          "CIS_Azure_1.1.0_5.2.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x2x3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "operationName": {
            "value": "Microsoft.Network/networkSecurityGroups/delete"
          }
        },
        "groupNames": [
          "CIS_Azure_1.1.0_5.2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x2x4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "operationName": {
            "value": "Microsoft.Network/networkSecurityGroups/securityRules/write"
          }
        },
        "groupNames": [
          "CIS_Azure_1.1.0_5.2.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x2x5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "operationName": {
            "value": "Microsoft.Network/networkSecurityGroups/securityRules/delete"
          }
        },
        "groupNames": [
          "CIS_Azure_1.1.0_5.2.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x2x6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052",
        "parameters": {
          "operationName": {
            "value": "Microsoft.Security/securitySolutions/write"
          }
        },
        "groupNames": [
          "CIS_Azure_1.1.0_5.2.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x2x7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052",
        "parameters": {
          "operationName": {
            "value": "Microsoft.Security/securitySolutions/delete"
          }
        },
        "groupNames": [
          "CIS_Azure_1.1.0_5.2.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x2x8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "operationName": {
            "value": "Microsoft.Sql/servers/firewallRules/write"
          }
        },
        "groupNames": [
          "CIS_Azure_1.1.0_5.2.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x2x8m",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "operationName": {
            "value": "Microsoft.Sql/servers/firewallRules/delete"
          }
        },
        "groupNames": [
          "CIS_Azure_1.1.0_5.2.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x2x9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052",
        "parameters": {
          "operationName": {
            "value": "Microsoft.Security/policies/write"
          }
        },
        "groupNames": [
          "CIS_Azure_1.1.0_5.2.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x6x1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_6.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x6x2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_6.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x6x5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "parameters": {
          "resourceGroupName": {
            "value": "[parameters('NetworkWatcherResourceGroupName')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.1.0_6.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x7x3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_7.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x7x4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432",
        "parameters": {
          "approvedExtensions": {
            "value": "[parameters('listOfApprovedVMExtensions')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.1.0_7.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x8x1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_8.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x8x2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_8.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x8x4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_8.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x8x5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_8.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x1m",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x1mm",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x3m",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x3mm",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x4m",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x4mm",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x5m",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x5mm",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x7mm",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x8m",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x8mm",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x9m",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x9mm",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x10",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x10m",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x9x10mm",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_9.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x5x1x7m",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2a5b911-5617-447e-a49e-59dbe0e0434b",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_5.1.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "CISv110x8x4m",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.1.0_8.4"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "CIS_Azure_1.1.0_1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.1"
      },
      {
        "name": "CIS_Azure_1.1.0_1.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.5"
      },
      {
        "name": "CIS_Azure_1.1.0_1.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.6"
      },
      {
        "name": "CIS_Azure_1.1.0_1.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.7"
      },
      {
        "name": "CIS_Azure_1.1.0_1.15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.15"
      },
      {
        "name": "CIS_Azure_1.1.0_1.21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.21"
      },
      {
        "name": "CIS_Azure_1.1.0_1.22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.22"
      },
      {
        "name": "CIS_Azure_1.1.0_1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.2"
      },
      {
        "name": "CIS_Azure_1.1.0_1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.3"
      },
      {
        "name": "CIS_Azure_1.1.0_1.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.4"
      },
      {
        "name": "CIS_Azure_1.1.0_1.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.8"
      },
      {
        "name": "CIS_Azure_1.1.0_1.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.9"
      },
      {
        "name": "CIS_Azure_1.1.0_1.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.10"
      },
      {
        "name": "CIS_Azure_1.1.0_1.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.11"
      },
      {
        "name": "CIS_Azure_1.1.0_1.12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.12"
      },
      {
        "name": "CIS_Azure_1.1.0_1.13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.13"
      },
      {
        "name": "CIS_Azure_1.1.0_1.14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.14"
      },
      {
        "name": "CIS_Azure_1.1.0_1.16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.16"
      },
      {
        "name": "CIS_Azure_1.1.0_1.17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.17"
      },
      {
        "name": "CIS_Azure_1.1.0_1.18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.18"
      },
      {
        "name": "CIS_Azure_1.1.0_1.19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.19"
      },
      {
        "name": "CIS_Azure_1.1.0_1.20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.20"
      },
      {
        "name": "CIS_Azure_1.1.0_1.23",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_1.23"
      },
      {
        "name": "CIS_Azure_1.1.0_2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.1"
      },
      {
        "name": "CIS_Azure_1.1.0_2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.2"
      },
      {
        "name": "CIS_Azure_1.1.0_2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.3"
      },
      {
        "name": "CIS_Azure_1.1.0_2.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.4"
      },
      {
        "name": "CIS_Azure_1.1.0_2.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.5"
      },
      {
        "name": "CIS_Azure_1.1.0_2.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.6"
      },
      {
        "name": "CIS_Azure_1.1.0_2.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.7"
      },
      {
        "name": "CIS_Azure_1.1.0_2.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.8"
      },
      {
        "name": "CIS_Azure_1.1.0_2.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.9"
      },
      {
        "name": "CIS_Azure_1.1.0_2.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.10"
      },
      {
        "name": "CIS_Azure_1.1.0_2.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.11"
      },
      {
        "name": "CIS_Azure_1.1.0_2.12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.12"
      },
      {
        "name": "CIS_Azure_1.1.0_2.13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.13"
      },
      {
        "name": "CIS_Azure_1.1.0_2.14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.14"
      },
      {
        "name": "CIS_Azure_1.1.0_2.15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.15"
      },
      {
        "name": "CIS_Azure_1.1.0_2.16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.16"
      },
      {
        "name": "CIS_Azure_1.1.0_2.17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.17"
      },
      {
        "name": "CIS_Azure_1.1.0_2.18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.18"
      },
      {
        "name": "CIS_Azure_1.1.0_2.19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_2.19"
      },
      {
        "name": "CIS_Azure_1.1.0_3.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_3.1"
      },
      {
        "name": "CIS_Azure_1.1.0_3.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_3.2"
      },
      {
        "name": "CIS_Azure_1.1.0_3.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_3.4"
      },
      {
        "name": "CIS_Azure_1.1.0_3.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_3.5"
      },
      {
        "name": "CIS_Azure_1.1.0_3.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_3.6"
      },
      {
        "name": "CIS_Azure_1.1.0_3.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_3.3"
      },
      {
        "name": "CIS_Azure_1.1.0_3.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_3.7"
      },
      {
        "name": "CIS_Azure_1.1.0_3.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_3.8"
      },
      {
        "name": "CIS_Azure_1.1.0_4.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.1"
      },
      {
        "name": "CIS_Azure_1.1.0_4.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.2"
      },
      {
        "name": "CIS_Azure_1.1.0_4.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.3"
      },
      {
        "name": "CIS_Azure_1.1.0_4.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.4"
      },
      {
        "name": "CIS_Azure_1.1.0_4.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.5"
      },
      {
        "name": "CIS_Azure_1.1.0_4.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.6"
      },
      {
        "name": "CIS_Azure_1.1.0_4.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.7"
      },
      {
        "name": "CIS_Azure_1.1.0_4.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.8"
      },
      {
        "name": "CIS_Azure_1.1.0_4.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.9"
      },
      {
        "name": "CIS_Azure_1.1.0_4.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.10"
      },
      {
        "name": "CIS_Azure_1.1.0_4.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.11"
      },
      {
        "name": "CIS_Azure_1.1.0_4.12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.12"
      },
      {
        "name": "CIS_Azure_1.1.0_4.13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.13"
      },
      {
        "name": "CIS_Azure_1.1.0_4.14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.14"
      },
      {
        "name": "CIS_Azure_1.1.0_4.15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.15"
      },
      {
        "name": "CIS_Azure_1.1.0_4.16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.16"
      },
      {
        "name": "CIS_Azure_1.1.0_4.17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.17"
      },
      {
        "name": "CIS_Azure_1.1.0_4.18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.18"
      },
      {
        "name": "CIS_Azure_1.1.0_4.19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_4.19"
      },
      {
        "name": "CIS_Azure_1.1.0_5.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.1.1"
      },
      {
        "name": "CIS_Azure_1.1.0_5.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.1.2"
      },
      {
        "name": "CIS_Azure_1.1.0_5.1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.1.3"
      },
      {
        "name": "CIS_Azure_1.1.0_5.1.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.1.4"
      },
      {
        "name": "CIS_Azure_1.1.0_5.1.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.1.5"
      },
      {
        "name": "CIS_Azure_1.1.0_5.1.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.1.6"
      },
      {
        "name": "CIS_Azure_1.1.0_5.1.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.1.7"
      },
      {
        "name": "CIS_Azure_1.1.0_5.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.2.1"
      },
      {
        "name": "CIS_Azure_1.1.0_5.2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.2.2"
      },
      {
        "name": "CIS_Azure_1.1.0_5.2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.2.3"
      },
      {
        "name": "CIS_Azure_1.1.0_5.2.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.2.4"
      },
      {
        "name": "CIS_Azure_1.1.0_5.2.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.2.5"
      },
      {
        "name": "CIS_Azure_1.1.0_5.2.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.2.6"
      },
      {
        "name": "CIS_Azure_1.1.0_5.2.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.2.7"
      },
      {
        "name": "CIS_Azure_1.1.0_5.2.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.2.8"
      },
      {
        "name": "CIS_Azure_1.1.0_5.2.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_5.2.9"
      },
      {
        "name": "CIS_Azure_1.1.0_6.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_6.1"
      },
      {
        "name": "CIS_Azure_1.1.0_6.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_6.2"
      },
      {
        "name": "CIS_Azure_1.1.0_6.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_6.3"
      },
      {
        "name": "CIS_Azure_1.1.0_6.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_6.5"
      },
      {
        "name": "CIS_Azure_1.1.0_6.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_6.4"
      },
      {
        "name": "CIS_Azure_1.1.0_7.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_7.1"
      },
      {
        "name": "CIS_Azure_1.1.0_7.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_7.2"
      },
      {
        "name": "CIS_Azure_1.1.0_7.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_7.3"
      },
      {
        "name": "CIS_Azure_1.1.0_7.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_7.4"
      },
      {
        "name": "CIS_Azure_1.1.0_7.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_7.5"
      },
      {
        "name": "CIS_Azure_1.1.0_7.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_7.6"
      },
      {
        "name": "CIS_Azure_1.1.0_8.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_8.1"
      },
      {
        "name": "CIS_Azure_1.1.0_8.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_8.2"
      },
      {
        "name": "CIS_Azure_1.1.0_8.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_8.4"
      },
      {
        "name": "CIS_Azure_1.1.0_8.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_8.5"
      },
      {
        "name": "CIS_Azure_1.1.0_8.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_8.3"
      },
      {
        "name": "CIS_Azure_1.1.0_9.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_9.1"
      },
      {
        "name": "CIS_Azure_1.1.0_9.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_9.2"
      },
      {
        "name": "CIS_Azure_1.1.0_9.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_9.3"
      },
      {
        "name": "CIS_Azure_1.1.0_9.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_9.4"
      },
      {
        "name": "CIS_Azure_1.1.0_9.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_9.5"
      },
      {
        "name": "CIS_Azure_1.1.0_9.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_9.6"
      },
      {
        "name": "CIS_Azure_1.1.0_9.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_9.7"
      },
      {
        "name": "CIS_Azure_1.1.0_9.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_9.8"
      },
      {
        "name": "CIS_Azure_1.1.0_9.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_9.9"
      },
      {
        "name": "CIS_Azure_1.1.0_9.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.1.0_9.10"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "1a5bb27d-173f-493e-9568-eb56638dde4d"
}
BuiltIn Regulatory Compliance False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "CIS Microsoft Azure Foundations Benchmark v1.3.0",
    "policyType": "BuiltIn",
    "description": "This initiative includes policies that address a subset of CIS Microsoft Azure Foundations Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cisazure130-initiative.",
    "metadata": {
      "version": "1.1.2",
      "category": "Regulatory Compliance"
    },
    "parameters": {
      "effect-aa633080-8b72-40c4-a2d7-d00c03e80bed": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled on accounts with owner permissions on your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-9297c21d-2ed6-4474-b48f-163f75654ce3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled accounts with write permissions on your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e3576e28-8b17-4677-84c3-db2990658d64": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled on accounts with read permissions on your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with read permissions should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with write permissions should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f8456c1c-aa66-4dfb-861a-25d127b775c9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with owner permissions should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Custom subscription owner roles should not exist",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for servers should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-2913021d-f2fd-4f3d-b958-22354e2bdbcb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for App Service should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Azure SQL Database servers should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-6581d072-105e-4418-827f-bd446d56421b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for SQL servers on machines should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Storage should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-523b5cd1-3e23-492f-a539-13118b6d1e3a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Kubernetes should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for container registries should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0e6763cc-5078-4e64-889d-ff4d9a839047": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Key Vault should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-475aae12-b88a-4572-8b36-9b712b2b3a17": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Auto provisioning of the Log Analytics agent should be enabled on your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Subscriptions should have a contact email address for security issues",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-6e2593d9-add6-4083-9c9b-4b7d2188c899": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Email notification for high severity alerts should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-404c3081-a854-4457-ae30-26a93ef643f9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Secure transfer to storage accounts should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account public access should be disallowed",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-34c877ad-507e-4c82-993e-3452a6e0ad3c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access using virtual network rules",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-c9d007d0-c057-4772-b18c-01e546713bcd": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should allow access from trusted Microsoft services",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-6fac406b-40ca-413b-bf8e-0bf964659c25": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account should use customer-managed key for encryption",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Auditing on SQL server should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9": {
        "type": "String",
        "metadata": {
          "displayName": "Required auditing setting for SQL servers"
        },
        "allowedValues": [
          "enabled",
          "disabled"
        ],
        "defaultValue": "enabled"
      },
      "effect-17k78e20-9358-41c9-923c-fb736d382a12": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Transparent Data Encryption on SQL databases should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-89099bee-89e0-4b26-a5f4-165451757743": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: SQL servers should be configured with 90 days auditing retention or higher.",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Advanced data security should be enabled on your SQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Advanced data security should be enabled on SQL Managed Instance",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability assessment should be enabled on your SQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability assessment should be enabled on SQL Managed Instance",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Enforce SSL connection should be enabled for MySQL database servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Enforce SSL connection should be enabled for PostgreSQL database servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Log checkpoints should be enabled for PostgreSQL database servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-eb6f77b9-bd53-4e35-a23d-7f65d5f0e442": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Log connections should be enabled for PostgreSQL database servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-eb6f77b9-bd53-4e35-a23d-7f65d5f0e446": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Disconnections should be logged for PostgreSQL database servers.",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-5345bb39-67dc-4960-a1bf-427e16b9a0bd": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Connection throttling should be enabled for PostgreSQL database servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-1f314764-cb73-4fc9-b863-8eca98ac36e9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An Azure Active Directory administrator should be provisioned for SQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: SQL servers should use customer-managed keys to encrypt data at rest",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-048248b0-55cd-46da-b1ff-39efd52db260": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: SQL managed instances should use customer-managed keys to encrypt data at rest",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-fbb99e8e-e444-4da0-9ff1-75c92f5a85b2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account containing the container with activity logs must be encrypted with BYOK",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858-MicrosoftAuthorization-policyAssignments-write": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Policy operations (Microsoft.Authorization/policyAssignments/write)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858-MicrosoftAuthorization-policyAssignments-delete": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Policy operations (Microsoft.Authorization/policyAssignments/delete)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-write": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Network/networkSecurityGroups/write)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Network/networkSecurityGroups/delete)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-write": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Network/networkSecurityGroups/securityRules/write)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Network/networkSecurityGroups/securityRules/delete)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-3b980d31-7904-4bb7-8575-5665739a8052-MicrosoftSecurity-securitySolutions-write": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Security operations (Microsoft.Security/securitySolutions/write)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-3b980d31-7904-4bb7-8575-5665739a8052-MicrosoftSecurity-securitySolutions-delete": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Security operations (Microsoft.Security/securitySolutions/delete)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-write": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Sql/servers/firewallRules/write)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Sql/servers/firewallRules/delete)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-cf820ca0-f99e-4f3e-84fb-66e913812d21": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Key Vault should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for resource logs",
          "description": "For more information about resource logs, visit https://aka.ms/resourcelogs"
        },
        "defaultValue": "365"
      },
      "effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in App Services should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-428256e6-1fac-4f48-a757-df34c2b3336d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Batch accounts should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7c1b1214-f927-48bf-8882-84f0af6588b1": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Virtual Machine Scale Sets should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Include AKS clusters when auditing if virtual machine scale set resource logs are enabled"
        },
        "defaultValue": false
      },
      "effect-057ef27e-665e-4328-8ea3-04b3122bd9fb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Azure Data Lake Store should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-c95c74d9-38fe-4f0d-af86-0c7d626a315c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Data Lake Analytics should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-83a214f7-d01a-484b-91a9-ed54470c9a6a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Event Hub should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-383856f8-de7f-44a2-81fc-e5135b5c2aa4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in IoT Hub should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-34f95f76-5386-4de7-b824-0d8478470c9d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Logic Apps should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b4330a05-a843-4bc8-bf9a-cacce50c67f4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Search services should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f8d36e2f-389b-4ee4-898d-21aeb69a0f45": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Service Bus should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f9be5368-9bf5-4b84-9e0a-7850da98bb46": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Resource logs in Azure Stream Analytics should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e372f825-a257-4fb8-9175-797a8a8627d6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: RDP access from the Internet should be blocked",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: SSH access from the Internet should be blocked",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "listOfLocations-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: List of regions where Network Watcher should be enabled",
          "description": "To see a complete list of regions, run the PowerShell command Get-AzLocation",
          "strongType": "location",
          "deprecated": true
        },
        "defaultValue": []
      },
      "resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6": {
        "type": "String",
        "metadata": {
          "displayName": "Name of the resource group for Network Watcher",
          "description": "Name of the resource group where Network Watchers are located"
        },
        "defaultValue": "NetworkWatcherRG"
      },
      "effect-0961003e-5a0a-4549-abde-af6a37f2724d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Unattached disks should be encrypted",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-c0e996f8-39cf-4af9-9f45-83fbde810432": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Only approved VM extensions should be installed",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "approvedExtensions-c0e996f8-39cf-4af9-9f45-83fbde810432": {
        "type": "Array",
        "metadata": {
          "displayName": "List of virtual machine extensions that are approved for use",
          "description": "A semicolon-separated list of virtual machine extensions; to see a complete list of extensions, use the Azure PowerShell command Get-AzVMExtensionImage"
        },
        "defaultValue": [
          "AzureDiskEncryption",
          "AzureDiskEncryptionForLinux",
          "DependencyAgentWindows",
          "DependencyAgentLinux",
          "IaaSAntimalware",
          "IaaSDiagnostics",
          "LinuxDiagnostic",
          "MicrosoftMonitoringAgent",
          "NetworkWatcherAgentLinux",
          "NetworkWatcherAgentWindows",
          "OmsAgentForLinux",
          "VMSnapshot",
          "VMSnapshotLinux"
        ]
      },
      "effect-86b3d65f-7626-441e-b690-81a8b71cff60": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: System updates should be installed on your machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-af6cd1bd-1635-48cb-bde7-5b15693900b9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Monitor missing Endpoint Protection in Azure Security Center",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Keys should have expiration dates set",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-98728c90-32c7-4049-8429-847dc0f4fe37": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Secrets should have expiration dates set",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key vault should have purge protection enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Role-Based Access Control (RBAC) should be used on Kubernetes Services",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-c4ebc54a-46e1-481a-bee2-d4411e95d828": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Authentication should be enabled on your API app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Authentication should be enabled on your Function app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-95bccee9-a7f8-4bec-9ee9-62c3473701fc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Authentication should be enabled on your web app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-a4af4a39-4135-47fb-b175-47fbdf85311d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application should only be accessible over HTTPS",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Latest TLS version should be used in your API App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f9d614c5-c173-4d56-95a7-b4437057d193": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Latest TLS version should be used in your Function App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Latest TLS version should be used in your Web App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0c192fe8-9cbb-4516-85b3-0ade8bd03886": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-eaebaea7-8013-4ceb-9d14-7eb32271373c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure Function app has 'Client Certificates (Incoming client certificates)' set to 'On'",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-5bb220d9-2698-4ee4-8404-b9c30c9df609": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-c4d441f8-f9d9-4a9e-9cef-e82117cb3eef": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Managed identity should be used in your API App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0da106f2-4ca3-48e8-bc85-c638fe6aea8f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Managed identity should be used in your Function App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-2b9ad585-36bc-4615-b300-fd4435808332": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Managed identity should be used in your Web App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the API app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "PHPLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest PHP version for App Services",
          "description": "Latest supported PHP version for App Services"
        },
        "defaultValue": "7.3"
      },
      "effect-7261b898-8a84-4db8-9e04-18527132abb3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the WEB app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-74c3584d-afae-46f7-a20a-6f8adba71a16": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the API app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "LinuxPythonLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest Python version for Linux for App Services",
          "description": "Latest supported Python version for App Services"
        },
        "defaultValue": "3.8"
      },
      "effect-7238174a-fd10-4ef0-817e-fc820a951d73": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Function app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7008174a-fd10-4ef0-817e-fc820a951d73": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Web app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-88999f4c-376a-45c8-bcb3-4058f713cf39": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the API app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "JavaLatestVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Latest Java version for App Services",
          "description": "Latest supported Java version for App Services"
        },
        "defaultValue": "11"
      },
      "effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Function app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-496223c3-ad65-4ecd-878a-bae78737e9ed": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Web app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-991310cd-e9f3-47bc-b7b6-f57b557d07db": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the API app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e2c1c086-2d84-4019-bff3-c44ccd95113c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Function app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Web app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-9a1b8c48-453a-4044-86c3-d8bfd823e4f5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: FTPS only should be required in your API App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-399b2637-a50f-4f95-96f8-3a145476eb15": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: FTPS only should be required in your Function App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: FTPS should be required in your Web App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-aa633080-8b72-40c4-a2d7-d00c03e80bed')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "9297c21d-2ed6-4474-b48f-163f75654ce3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9297c21d-2ed6-4474-b48f-163f75654ce3')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "e3576e28-8b17-4677-84c3-db2990658d64",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e3576e28-8b17-4677-84c3-db2990658d64')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f8456c1c-aa66-4dfb-861a-25d127b775c9')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_1.21"
        ]
      },
      {
        "policyDefinitionReferenceId": "4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_2.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2913021d-f2fd-4f3d-b958-22354e2bdbcb')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_2.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "6581d072-105e-4418-827f-bd446d56421b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6581d072-105e-4418-827f-bd446d56421b')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_2.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_2.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-523b5cd1-3e23-492f-a539-13118b6d1e3a')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_2.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_2.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e6763cc-5078-4e64-889d-ff4d9a839047",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0e6763cc-5078-4e64-889d-ff4d9a839047')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_2.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "475aae12-b88a-4572-8b36-9b712b2b3a17",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-475aae12-b88a-4572-8b36-9b712b2b3a17')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_2.11"
        ]
      },
      {
        "policyDefinitionReferenceId": "4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_2.13"
        ]
      },
      {
        "policyDefinitionReferenceId": "6e2593d9-add6-4083-9c9b-4b7d2188c899",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6e2593d9-add6-4083-9c9b-4b7d2188c899')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_2.14"
        ]
      },
      {
        "policyDefinitionReferenceId": "404c3081-a854-4457-ae30-26a93ef643f9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-404c3081-a854-4457-ae30-26a93ef643f9')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_3.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_3.5",
          "CIS_Azure_1.3.0_5.1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-34c877ad-507e-4c82-993e-3452a6e0ad3c')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_3.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_3.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "c9d007d0-c057-4772-b18c-01e546713bcd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c9d007d0-c057-4772-b18c-01e546713bcd')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_3.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "6fac406b-40ca-413b-bf8e-0bf964659c25",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6fac406b-40ca-413b-bf8e-0bf964659c25')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_3.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9')]"
          },
          "setting": {
            "value": "[parameters('setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "17k78e20-9358-41c9-923c-fb736d382a12",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-17k78e20-9358-41c9-923c-fb736d382a12')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "89099bee-89e0-4b26-a5f4-165451757743",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-89099bee-89e0-4b26-a5f4-165451757743')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.1.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.2.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.2.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.2.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.2.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.2.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.3.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.3.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.3.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "eb6f77b9-bd53-4e35-a23d-7f65d5f0e442",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-eb6f77b9-bd53-4e35-a23d-7f65d5f0e442')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.3.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "eb6f77b9-bd53-4e35-a23d-7f65d5f0e446",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-eb6f77b9-bd53-4e35-a23d-7f65d5f0e446')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.3.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "5345bb39-67dc-4960-a1bf-427e16b9a0bd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5345bb39-67dc-4960-a1bf-427e16b9a0bd')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.3.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1f314764-cb73-4fc9-b863-8eca98ac36e9')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "048248b0-55cd-46da-b1ff-39efd52db260",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-048248b0-55cd-46da-b1ff-39efd52db260')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_4.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "fbb99e8e-e444-4da0-9ff1-75c92f5a85b2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fbb99e8e-e444-4da0-9ff1-75c92f5a85b2')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.1.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "c5447c04-a4d7-4ba8-a263-c9ee321a6858-0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858-MicrosoftAuthorization-policyAssignments-write')]"
          },
          "operationName": {
            "value": "Microsoft.Authorization/policyAssignments/write"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.2.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "c5447c04-a4d7-4ba8-a263-c9ee321a6858-1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858-MicrosoftAuthorization-policyAssignments-delete')]"
          },
          "operationName": {
            "value": "Microsoft.Authorization/policyAssignments/delete"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.2.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "b954148f-4c11-4c38-8221-be76711e194a-0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-write')]"
          },
          "operationName": {
            "value": "Microsoft.Network/networkSecurityGroups/write"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "b954148f-4c11-4c38-8221-be76711e194a-1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-delete')]"
          },
          "operationName": {
            "value": "Microsoft.Network/networkSecurityGroups/delete"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.2.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "b954148f-4c11-4c38-8221-be76711e194a-2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-write')]"
          },
          "operationName": {
            "value": "Microsoft.Network/networkSecurityGroups/securityRules/write"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.2.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "b954148f-4c11-4c38-8221-be76711e194a-3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftNetwork-networkSecurityGroups-securityRules-delete')]"
          },
          "operationName": {
            "value": "Microsoft.Network/networkSecurityGroups/securityRules/delete"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.2.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "3b980d31-7904-4bb7-8575-5665739a8052-0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3b980d31-7904-4bb7-8575-5665739a8052-MicrosoftSecurity-securitySolutions-write')]"
          },
          "operationName": {
            "value": "Microsoft.Security/securitySolutions/write"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.2.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "3b980d31-7904-4bb7-8575-5665739a8052-1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3b980d31-7904-4bb7-8575-5665739a8052-MicrosoftSecurity-securitySolutions-delete')]"
          },
          "operationName": {
            "value": "Microsoft.Security/securitySolutions/delete"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.2.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "b954148f-4c11-4c38-8221-be76711e194a-4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-write')]"
          },
          "operationName": {
            "value": "Microsoft.Sql/servers/firewallRules/write"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.2.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "b954148f-4c11-4c38-8221-be76711e194a-5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b954148f-4c11-4c38-8221-be76711e194a-MicrosoftSql-servers-firewallRules-delete')]"
          },
          "operationName": {
            "value": "Microsoft.Sql/servers/firewallRules/delete"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.2.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-cf820ca0-f99e-4f3e-84fb-66e913812d21')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.1.5",
          "CIS_Azure_1.3.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "428256e6-1fac-4f48-a757-df34c2b3336d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-428256e6-1fac-4f48-a757-df34c2b3336d')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "7c1b1214-f927-48bf-8882-84f0af6588b1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7c1b1214-f927-48bf-8882-84f0af6588b1')]"
          },
          "includeAKSClusters": {
            "value": "[parameters('includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-057ef27e-665e-4328-8ea3-04b3122bd9fb')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c95c74d9-38fe-4f0d-af86-0c7d626a315c')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-83a214f7-d01a-484b-91a9-ed54470c9a6a')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-383856f8-de7f-44a2-81fc-e5135b5c2aa4')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "34f95f76-5386-4de7-b824-0d8478470c9d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-34f95f76-5386-4de7-b824-0d8478470c9d')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b4330a05-a843-4bc8-bf9a-cacce50c67f4')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f8d36e2f-389b-4ee4-898d-21aeb69a0f45')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f9be5368-9bf5-4b84-9e0a-7850da98bb46')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "e372f825-a257-4fb8-9175-797a8a8627d6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e372f825-a257-4fb8-9175-797a8a8627d6')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_6.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "2c89a2e5-7285-40fe-afe0-ae8654b92fab",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_6.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "parameters": {
          "resourceGroupName": {
            "value": "[parameters('resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_6.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "06a78e20-9358-41c9-923c-fb736d382a4d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d",
        "parameters": {},
        "groupNames": [
          "CIS_Azure_1.3.0_7.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "0961003e-5a0a-4549-abde-af6a37f2724d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0961003e-5a0a-4549-abde-af6a37f2724d')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_7.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "2c89a2e5-7285-40fe-afe0-ae8654b92fb2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2c89a2e5-7285-40fe-afe0-ae8654b92fb2')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_7.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "c0e996f8-39cf-4af9-9f45-83fbde810432",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c0e996f8-39cf-4af9-9f45-83fbde810432')]"
          },
          "approvedExtensions": {
            "value": "[parameters('approvedExtensions-c0e996f8-39cf-4af9-9f45-83fbde810432')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_7.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-86b3d65f-7626-441e-b690-81a8b71cff60')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_7.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-af6cd1bd-1635-48cb-bde7-5b15693900b9')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_7.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_8.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "98728c90-32c7-4049-8429-847dc0f4fe37",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-98728c90-32c7-4049-8429-847dc0f4fe37')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_8.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_8.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_8.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "c4ebc54a-46e1-481a-bee2-d4411e95d828",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c4ebc54a-46e1-481a-bee2-d4411e95d828')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "95bccee9-a7f8-4bec-9ee9-62c3473701fc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-95bccee9-a7f8-4bec-9ee9-62c3473701fc')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "a4af4a39-4135-47fb-b175-47fbdf85311d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a4af4a39-4135-47fb-b175-47fbdf85311d')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "f9d614c5-c173-4d56-95a7-b4437057d193",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f9d614c5-c173-4d56-95a7-b4437057d193')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "0c192fe8-9cbb-4516-85b3-0ade8bd03886",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0c192fe8-9cbb-4516-85b3-0ade8bd03886')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "eaebaea7-8013-4ceb-9d14-7eb32271373c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-eaebaea7-8013-4ceb-9d14-7eb32271373c')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5bb220d9-2698-4ee4-8404-b9c30c9df609')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c4d441f8-f9d9-4a9e-9cef-e82117cb3eef')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0da106f2-4ca3-48e8-bc85-c638fe6aea8f')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "2b9ad585-36bc-4615-b300-fd4435808332",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2b9ad585-36bc-4615-b300-fd4435808332')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba')]"
          },
          "PHPLatestVersion": {
            "value": "[parameters('PHPLatestVersion')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "7261b898-8a84-4db8-9e04-18527132abb3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7261b898-8a84-4db8-9e04-18527132abb3')]"
          },
          "PHPLatestVersion": {
            "value": "[parameters('PHPLatestVersion')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "74c3584d-afae-46f7-a20a-6f8adba71a16",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-74c3584d-afae-46f7-a20a-6f8adba71a16')]"
          },
          "LinuxPythonLatestVersion": {
            "value": "[parameters('LinuxPythonLatestVersion')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "7238174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7238174a-fd10-4ef0-817e-fc820a951d73')]"
          },
          "LinuxPythonLatestVersion": {
            "value": "[parameters('LinuxPythonLatestVersion')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "7008174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7008174a-fd10-4ef0-817e-fc820a951d73')]"
          },
          "LinuxPythonLatestVersion": {
            "value": "[parameters('LinuxPythonLatestVersion')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.7"
        ]
      },
      {
        "policyDefinitionReferenceId": "88999f4c-376a-45c8-bcb3-4058f713cf39",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-88999f4c-376a-45c8-bcb3-4058f713cf39')]"
          },
          "JavaLatestVersion": {
            "value": "[parameters('JavaLatestVersion')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc')]"
          },
          "JavaLatestVersion": {
            "value": "[parameters('JavaLatestVersion')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "496223c3-ad65-4ecd-878a-bae78737e9ed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-496223c3-ad65-4ecd-878a-bae78737e9ed')]"
          },
          "JavaLatestVersion": {
            "value": "[parameters('JavaLatestVersion')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.8"
        ]
      },
      {
        "policyDefinitionReferenceId": "991310cd-e9f3-47bc-b7b6-f57b557d07db",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-991310cd-e9f3-47bc-b7b6-f57b557d07db')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "e2c1c086-2d84-4019-bff3-c44ccd95113c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e2c1c086-2d84-4019-bff3-c44ccd95113c')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "8c122334-9d20-4eb8-89ea-ac9a705b74ae",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.9"
        ]
      },
      {
        "policyDefinitionReferenceId": "9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9a1b8c48-453a-4044-86c3-d8bfd823e4f5')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "399b2637-a50f-4f95-96f8-3a145476eb15",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-399b2637-a50f-4f95-96f8-3a145476eb15')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.10"
        ]
      },
      {
        "policyDefinitionReferenceId": "4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b')]"
          }
        },
        "groupNames": [
          "CIS_Azure_1.3.0_9.10"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "CIS_Azure_1.3.0_1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.1"
      },
      {
        "name": "CIS_Azure_1.3.0_1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.2"
      },
      {
        "name": "CIS_Azure_1.3.0_1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.3"
      },
      {
        "name": "CIS_Azure_1.3.0_1.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.4"
      },
      {
        "name": "CIS_Azure_1.3.0_1.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.5"
      },
      {
        "name": "CIS_Azure_1.3.0_1.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.6"
      },
      {
        "name": "CIS_Azure_1.3.0_1.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.7"
      },
      {
        "name": "CIS_Azure_1.3.0_1.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.8"
      },
      {
        "name": "CIS_Azure_1.3.0_1.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.9"
      },
      {
        "name": "CIS_Azure_1.3.0_1.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.10"
      },
      {
        "name": "CIS_Azure_1.3.0_1.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.11"
      },
      {
        "name": "CIS_Azure_1.3.0_1.12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.12"
      },
      {
        "name": "CIS_Azure_1.3.0_1.13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.13"
      },
      {
        "name": "CIS_Azure_1.3.0_1.14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.14"
      },
      {
        "name": "CIS_Azure_1.3.0_1.15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.15"
      },
      {
        "name": "CIS_Azure_1.3.0_1.16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.16"
      },
      {
        "name": "CIS_Azure_1.3.0_1.17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.17"
      },
      {
        "name": "CIS_Azure_1.3.0_1.18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.18"
      },
      {
        "name": "CIS_Azure_1.3.0_1.19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.19"
      },
      {
        "name": "CIS_Azure_1.3.0_1.20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.20"
      },
      {
        "name": "CIS_Azure_1.3.0_1.21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.21"
      },
      {
        "name": "CIS_Azure_1.3.0_1.22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.22"
      },
      {
        "name": "CIS_Azure_1.3.0_1.23",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_1.23"
      },
      {
        "name": "CIS_Azure_1.3.0_2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_2.1"
      },
      {
        "name": "CIS_Azure_1.3.0_2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_2.2"
      },
      {
        "name": "CIS_Azure_1.3.0_2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_2.3"
      },
      {
        "name": "CIS_Azure_1.3.0_2.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_2.4"
      },
      {
        "name": "CIS_Azure_1.3.0_2.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_2.5"
      },
      {
        "name": "CIS_Azure_1.3.0_2.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_2.6"
      },
      {
        "name": "CIS_Azure_1.3.0_2.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_2.7"
      },
      {
        "name": "CIS_Azure_1.3.0_2.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_2.8"
      },
      {
        "name": "CIS_Azure_1.3.0_2.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_2.9"
      },
      {
        "name": "CIS_Azure_1.3.0_2.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_2.10"
      },
      {
        "name": "CIS_Azure_1.3.0_2.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_2.11"
      },
      {
        "name": "CIS_Azure_1.3.0_2.12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_2.12"
      },
      {
        "name": "CIS_Azure_1.3.0_2.13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_2.13"
      },
      {
        "name": "CIS_Azure_1.3.0_2.14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_2.14"
      },
      {
        "name": "CIS_Azure_1.3.0_2.15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_2.15"
      },
      {
        "name": "CIS_Azure_1.3.0_3.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_3.1"
      },
      {
        "name": "CIS_Azure_1.3.0_3.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_3.2"
      },
      {
        "name": "CIS_Azure_1.3.0_3.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_3.3"
      },
      {
        "name": "CIS_Azure_1.3.0_3.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_3.4"
      },
      {
        "name": "CIS_Azure_1.3.0_3.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_3.5"
      },
      {
        "name": "CIS_Azure_1.3.0_3.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_3.6"
      },
      {
        "name": "CIS_Azure_1.3.0_3.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_3.7"
      },
      {
        "name": "CIS_Azure_1.3.0_3.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_3.8"
      },
      {
        "name": "CIS_Azure_1.3.0_3.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_3.9"
      },
      {
        "name": "CIS_Azure_1.3.0_3.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_3.10"
      },
      {
        "name": "CIS_Azure_1.3.0_3.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_3.11"
      },
      {
        "name": "CIS_Azure_1.3.0_4.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.1.1"
      },
      {
        "name": "CIS_Azure_1.3.0_4.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.1.2"
      },
      {
        "name": "CIS_Azure_1.3.0_4.1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.1.3"
      },
      {
        "name": "CIS_Azure_1.3.0_4.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.2.1"
      },
      {
        "name": "CIS_Azure_1.3.0_4.2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.2.2"
      },
      {
        "name": "CIS_Azure_1.3.0_4.2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.2.3"
      },
      {
        "name": "CIS_Azure_1.3.0_4.2.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.2.4"
      },
      {
        "name": "CIS_Azure_1.3.0_4.2.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.2.5"
      },
      {
        "name": "CIS_Azure_1.3.0_4.3.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.3.1"
      },
      {
        "name": "CIS_Azure_1.3.0_4.3.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.3.2"
      },
      {
        "name": "CIS_Azure_1.3.0_4.3.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.3.3"
      },
      {
        "name": "CIS_Azure_1.3.0_4.3.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.3.4"
      },
      {
        "name": "CIS_Azure_1.3.0_4.3.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.3.5"
      },
      {
        "name": "CIS_Azure_1.3.0_4.3.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.3.6"
      },
      {
        "name": "CIS_Azure_1.3.0_4.3.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.3.7"
      },
      {
        "name": "CIS_Azure_1.3.0_4.3.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.3.8"
      },
      {
        "name": "CIS_Azure_1.3.0_4.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.4"
      },
      {
        "name": "CIS_Azure_1.3.0_4.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_4.5"
      },
      {
        "name": "CIS_Azure_1.3.0_5.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_5.1.1"
      },
      {
        "name": "CIS_Azure_1.3.0_5.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_5.1.2"
      },
      {
        "name": "CIS_Azure_1.3.0_5.1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_5.1.3"
      },
      {
        "name": "CIS_Azure_1.3.0_5.1.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_5.1.4"
      },
      {
        "name": "CIS_Azure_1.3.0_5.1.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_5.1.5"
      },
      {
        "name": "CIS_Azure_1.3.0_5.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_5.2.1"
      },
      {
        "name": "CIS_Azure_1.3.0_5.2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_5.2.2"
      },
      {
        "name": "CIS_Azure_1.3.0_5.2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_5.2.3"
      },
      {
        "name": "CIS_Azure_1.3.0_5.2.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_5.2.4"
      },
      {
        "name": "CIS_Azure_1.3.0_5.2.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_5.2.5"
      },
      {
        "name": "CIS_Azure_1.3.0_5.2.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_5.2.6"
      },
      {
        "name": "CIS_Azure_1.3.0_5.2.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_5.2.7"
      },
      {
        "name": "CIS_Azure_1.3.0_5.2.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_5.2.8"
      },
      {
        "name": "CIS_Azure_1.3.0_5.2.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_5.2.9"
      },
      {
        "name": "CIS_Azure_1.3.0_5.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_5.3"
      },
      {
        "name": "CIS_Azure_1.3.0_6.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_6.1"
      },
      {
        "name": "CIS_Azure_1.3.0_6.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_6.2"
      },
      {
        "name": "CIS_Azure_1.3.0_6.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_6.3"
      },
      {
        "name": "CIS_Azure_1.3.0_6.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_6.4"
      },
      {
        "name": "CIS_Azure_1.3.0_6.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_6.5"
      },
      {
        "name": "CIS_Azure_1.3.0_6.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_6.6"
      },
      {
        "name": "CIS_Azure_1.3.0_7.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_7.1"
      },
      {
        "name": "CIS_Azure_1.3.0_7.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_7.2"
      },
      {
        "name": "CIS_Azure_1.3.0_7.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_7.3"
      },
      {
        "name": "CIS_Azure_1.3.0_7.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_7.4"
      },
      {
        "name": "CIS_Azure_1.3.0_7.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_7.5"
      },
      {
        "name": "CIS_Azure_1.3.0_7.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_7.6"
      },
      {
        "name": "CIS_Azure_1.3.0_7.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_7.7"
      },
      {
        "name": "CIS_Azure_1.3.0_8.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_8.1"
      },
      {
        "name": "CIS_Azure_1.3.0_8.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_8.2"
      },
      {
        "name": "CIS_Azure_1.3.0_8.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_8.3"
      },
      {
        "name": "CIS_Azure_1.3.0_8.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_8.4"
      },
      {
        "name": "CIS_Azure_1.3.0_8.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_8.5"
      },
      {
        "name": "CIS_Azure_1.3.0_9.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_9.1"
      },
      {
        "name": "CIS_Azure_1.3.0_9.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_9.2"
      },
      {
        "name": "CIS_Azure_1.3.0_9.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_9.3"
      },
      {
        "name": "CIS_Azure_1.3.0_9.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_9.4"
      },
      {
        "name": "CIS_Azure_1.3.0_9.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_9.5"
      },
      {
        "name": "CIS_Azure_1.3.0_9.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_9.6"
      },
      {
        "name": "CIS_Azure_1.3.0_9.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_9.7"
      },
      {
        "name": "CIS_Azure_1.3.0_9.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_9.8"
      },
      {
        "name": "CIS_Azure_1.3.0_9.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_9.9"
      },
      {
        "name": "CIS_Azure_1.3.0_9.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_9.10"
      },
      {
        "name": "CIS_Azure_1.3.0_9.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/CIS_Azure_1.3.0_9.11"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/612b5213-9160-4969-8578-1518bd2a000c",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "612b5213-9160-4969-8578-1518bd2a000c"
}
BuiltIn Regulatory Compliance False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "Configure Advanced Threat Protection to be enabled on open-source relational databases",
    "policyType": "BuiltIn",
    "description": "Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {},
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "deployAtpOnAzureDatabaseForPostgreSqlServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "deployAtpOnAzureDatabaseForMySqlServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "deployAdvancedThreatProtectionOnAzureDatabaseForMariaDbServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6cf7411-da9e-49e2-aec0-cba0250eaf8c",
        "parameters": {}
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e"
}
BuiltIn Security Center False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances",
    "policyType": "BuiltIn",
    "description": "Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.",
    "metadata": {
      "version": "2.0.0",
      "category": "Security Center"
    },
    "parameters": {},
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "deployThreatDetectionOnSqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "deployThreatDetectionOnSqlManagedInstances",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd",
        "parameters": {}
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97"
}
BuiltIn Security Center False False n/a n/a true 2 /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenter (ASC DataProtection (subscription: 4dfa3b56-55bf-4059-802a-24e44a4fb60f)), /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenter (ASC DataProtection (subscription: f28ba982-5ed0-4033-9bdf-e45e4b5df466))
{
  "properties": {
    "displayName": "Configure Azure Monitor Agent to Linux virtual machines and associate to Data Collection Rule",
    "policyType": "BuiltIn",
    "description": "Deploy Azure Monitor Agent for Linux virtual machines if the virtual machine image (OS) and location are in the list defined and the agent is not installed.  Then, deploy Association to link virtual machine to specified Data Collection Rule. The list of OS images is updated over time as support is increased.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "listOfLinuxImageIdToInclude": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "DcrResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Data Collection Rule resource Id",
          "description": "Resource Id of the Data Collection Rule that the virtual machines in scope should point to."
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "deployAzureMonitoringAgentLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4034bc6-ae50-406d-bf76-50f4ee5a7811",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "listOfLinuxImageIdToInclude": {
            "value": "[parameters('listOfLinuxImageIdToInclude')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "associateDataCollectionRuleLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2ea82cdd-f2e8-4500-af75-67a2e084ca74",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "listOfLinuxImageIdToInclude": {
            "value": "[parameters('listOfLinuxImageIdToInclude')]"
          },
          "DcrResourceId": {
            "value": "[parameters('DcrResourceId')]"
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/118f04da-0375-44d1-84e3-0fd9e1849403",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "118f04da-0375-44d1-84e3-0fd9e1849403"
}
BuiltIn Monitoring False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "Configure Azure Monitor Agent to Windows virtual machines and associate to Data Collection Rule",
    "policyType": "BuiltIn",
    "description": "Deploy Azure Monitor Agent for Windows virtual machines if the virtual machine image (OS) and location are in the list defined and the agent is not installed.  Then, deploy Association to link virtual machine to specified Data Collection Rule. The list of OS images is updated over time as support is increased.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "listOfWindowsImageIdToInclude": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of virtual machine images that have supported Windows OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "DcrResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Data Collection Rule Resource Id",
          "description": "Resource Id of the Data Collection Rule that the virtual machines in scope should point to."
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "deployAzureMonitoringAgentWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca817e41-e85a-4783-bc7f-dc532d36235e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "listOfWindowsImageIdToInclude": {
            "value": "[parameters('listOfWindowsImageIdToInclude')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "associateDataCollectionRuleWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "listOfWindowsImageIdToInclude": {
            "value": "[parameters('listOfWindowsImageIdToInclude')]"
          },
          "DcrResourceId": {
            "value": "[parameters('DcrResourceId')]"
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/9575b8b7-78ab-4281-b53b-d3c1ace2260b",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "9575b8b7-78ab-4281-b53b-d3c1ace2260b"
}
BuiltIn Monitoring False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings to Azure Services",
    "policyType": "Custom",
    "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:40.6946713Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "displayName": "Log Analytics workspace",
          "strongType": "omsWorkspace"
        }
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "ACILogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics enabled."
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "ACRLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics  enabled."
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "AKSLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled."
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "AnalysisServiceLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "APIMgmtLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for API Management to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "ApplicationGatewayLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "AutomationLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Automation to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "BatchLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Batch to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "CDNEndpointsLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "CognitiveServicesLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "CosmosLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "DatabricksLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "DataFactoryLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "DataLakeStoreLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "DataLakeAnalyticsLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "EventGridSubLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "EventGridTopicLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "EventHubLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "EventSystemTopicLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "ExpressRouteLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "FirewallLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "FrontDoorLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "FunctionAppLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "HDInsightLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "IotHubLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "KeyVaultLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Key Vault to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "LoadBalancerLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "LogicAppsISELogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "LogicAppsWFLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Logic Apps Workflow runtime to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Logic Apps Workflow runtimeto stream to a Log Analytics workspace when any Logic Apps Workflow runtime which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "MariaDBLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "MlWorkspaceLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "MySQLLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "NetworkSecurityGroupsLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "NetworkNICLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "PostgreSQLLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "PowerBIEmbeddedLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "NetworkPublicIPNicLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "RecoveryVaultLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Recovery Services vaults to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Recovery Services vaults to stream to a Log Analytics workspace when any Recovery Services vaults which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "RedisCacheLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "RelayLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Relay to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "SearchServicesLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Search Services to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "ServiceBusLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "SignalRLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "SQLDBsLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "SQLElasticPoolsLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "SQLMLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "StreamAnalyticsLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "TimeSeriesInsightsLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "TrafficManagerLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "VirtualNetworkLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "VirtualMachinesLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "VMSSLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "VNetGWLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled."
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "AppServiceLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "AppServiceWebappLogAnalyticsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy Diagnostic Settings for App Service to Log Analytics workspace",
          "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The policy wil  set the diagnostic with all metrics and category enabled"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "ACIDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('ACILogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "ACRDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('ACRLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AKSDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AKS",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('AKSLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('AnalysisServiceLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "APIMgmtDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('APIMgmtLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('ApplicationGatewayLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AutomationDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('AutomationLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "BatchDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Batch",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('BatchLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('CDNEndpointsLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('CognitiveServicesLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "CosmosDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('CosmosLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "DatabricksDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('DatabricksLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "DataFactoryDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('DataFactoryLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataLakeStore",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('DataLakeStoreLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('DataLakeAnalyticsLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "EventGridSubDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('EventGridSubLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "EventGridTopicDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('EventGridTopicLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "EventHubDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventHub",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('EventHubLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('EventSystemTopicLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "ExpressRouteDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('ExpressRouteLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "FirewallDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('FirewallLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "FrontDoorDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('FrontDoorLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "FunctionAppDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('FunctionAppLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "HDInsightDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('HDInsightLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "IotHubDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('IotHubLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "KeyVaultDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-KeyVault",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('KeyVaultLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "LoadBalancerDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('LoadBalancerLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('LogicAppsISELogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsWF",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('LogicAppsWFLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "MariaDBDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('MariaDBLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('MlWorkspaceLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "MySQLDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('MySQLLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "NetworkNICDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('NetworkNICLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "PostgreSQLDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('PostgreSQLLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('PowerBIEmbeddedLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PublicIP",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('NetworkPublicIPNicLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RecoveryVault",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('RecoveryVaultLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "RedisCacheDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('RedisCacheLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "RelayDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('RelayLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "SearchServicesDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SearchServices",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('SearchServicesLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "ServiceBusDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ServiceBus",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('ServiceBusLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "SignalRDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('SignalRLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "SQLDBsDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLDBs",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('SQLDBsLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('SQLElasticPoolsLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "SQLMDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('SQLMLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-StreamAnalytics",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('StreamAnalyticsLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('TimeSeriesInsightsLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "TrafficManagerDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('TrafficManagerLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('VirtualNetworkLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('VirtualMachinesLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "VMSSDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('VMSSLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "VNetGWDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('VNetGWLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AppServiceDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('AppServiceLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics')]"
          },
          "effect": {
            "value": "[parameters('AppServiceWebappLogAnalyticsEffect')]"
          },
          "profileName": {
            "value": "[parameters('profileName')]"
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diag-LogAnalytics",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "Deploy-Diag-LogAnalytics"
}
Custom Monitoring False False Mg ESJH (ESJH) true 1 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy-Resource-Diag)
{
  "properties": {
    "displayName": "Deploy prerequisites to enable Guest Configuration policies on virtual machines",
    "policyType": "BuiltIn",
    "description": "This initiative adds a system-assigned managed identity and deploys the platform-appropriate Guest Configuration extension to virtual machines that are eligible to be monitored by Guest Configuration policies. This is a prerequisite for all Guest Configuration policies and must be assigned to the policy assignment scope before using any Guest Configuration policy. For more information on Guest Configuration, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0"
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "12794019-7a00-42cf-95c2-882eed337cc8"
}
BuiltIn Guest Configuration False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "Deploy SQL Database built-in SQL security configuration",
    "policyType": "Custom",
    "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:40.5004744Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "vulnerabilityAssessmentsEmail": {
        "type": "String",
        "metadata": {
          "description": "The email address to send alerts",
          "displayName": "The email address to send alerts"
        }
      },
      "vulnerabilityAssessmentsStorageID": {
        "type": "String",
        "metadata": {
          "description": "The storage account ID to store assessments",
          "displayName": "The storage account ID to store assessments"
        }
      },
      "SqlDbTdeDeploySqlSecurityEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy SQL Database Transparent Data Encryption ",
          "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts",
          "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "SqlDbAuditingSettingsDeploySqlSecurityEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy SQL database auditing settings",
          "description": "Deploy auditing settings to SQL Database when it not exist in the deployment"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deploy SQL Database vulnerability Assessments",
          "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific  storage account in the parameters"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde",
        "parameters": {
          "effect": {
            "value": "[parameters('SqlDbTdeDeploySqlSecurityEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies",
        "parameters": {
          "effect": {
            "value": "[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings",
        "parameters": {
          "effect": {
            "value": "[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments",
        "parameters": {
          "effect": {
            "value": "[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]"
          },
          "vulnerabilityAssessmentsEmail": {
            "value": "[parameters('vulnerabilityAssessmentsEmail')]"
          },
          "vulnerabilityAssessmentsStorageID": {
            "value": "[parameters('vulnerabilityAssessmentsStorageID')]"
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "Deploy-Sql-Security"
}
Custom SQL False False Mg ESJH (ESJH) false 0 n/a
{
  "properties": {
    "displayName": "Enable Azure Cosmos DB throughput policy",
    "policyType": "BuiltIn",
    "description": "Enable throughput control for Azure Cosmos DB resources in the specified scope (Management group, Subscription or resource group). Takes max throughput as parameter. Use this policy to help enforce throughput control via the resource provider.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {
      "throughputMax": {
        "type": "Integer",
        "metadata": {
          "displayName": "Max RUs",
          "description": "The maximum throughput (RU/s) that can be assigned to a container via the Resource Provider during create or update."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Policy Effect",
          "description": "The desired effect of the throughput limit policy. The key based metadata write access policy is always enforced."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "deny"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "Cosmos_MaxThroughput_Deny",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b7ef78e-a035-4f23-b9bd-aff122a1b1cf",
        "parameters": {
          "throughputMax": {
            "value": "[parameters('throughputMax')]"
          },
          "effect": {
            "value": "[parameters('effect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Cosmos_DisableMetadata_Append",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/cb5e1e90-7c33-491c-a15b-24885c915752",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "cb5e1e90-7c33-491c-a15b-24885c915752"
}
BuiltIn Cosmos DB False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets",
    "policyType": "BuiltIn",
    "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.",
    "metadata": {
      "version": "1.0.1",
      "category": "Monitoring"
    },
    "parameters": {
      "logAnalytics_1": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "listOfImageIdToInclude_windows": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of VM images that have supported Windows OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "listOfImageIdToInclude_linux": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of VM images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "LogAnalyticsExtension_Windows_VMSS_Deploy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics_1')]"
          },
          "listOfImageIdToInclude": {
            "value": "[parameters('listOfImageIdToInclude_windows')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "LogAnalyticsExtension_Linux_VMSS_Deploy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics_1')]"
          },
          "listOfImageIdToInclude": {
            "value": "[parameters('listOfImageIdToInclude_linux')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "DependencyAgentExtension_Windows_VMSS_Deploy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9",
        "parameters": {
          "listOfImageIdToInclude": {
            "value": "[parameters('listOfImageIdToInclude_windows')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "DependencyAgentExtension_Linux_VMSS_Deploy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0",
        "parameters": {
          "listOfImageIdToInclude": {
            "value": "[parameters('listOfImageIdToInclude_linux')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "LogAnalytics_OSImage_VMSS_Audit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138",
        "parameters": {
          "listOfImageIdToInclude_windows": {
            "value": "[parameters('listOfImageIdToInclude_windows')]"
          },
          "listOfImageIdToInclude_linux": {
            "value": "[parameters('listOfImageIdToInclude_linux')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "DependencyAgent_OSImage_VMSS_Audit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10",
        "parameters": {
          "listOfImageIdToInclude_windows": {
            "value": "[parameters('listOfImageIdToInclude_windows')]"
          },
          "listOfImageIdToInclude_linux": {
            "value": "[parameters('listOfImageIdToInclude_linux')]"
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "75714362-cae7-409e-9b99-a8e5075b7fad"
}
BuiltIn Monitoring False False n/a n/a true 1 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Deploy-VMSS-Monitoring)
{
  "properties": {
    "displayName": "Enable Azure Monitor for VMs",
    "policyType": "BuiltIn",
    "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.",
    "metadata": {
      "version": "2.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "logAnalytics_1": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace"
        }
      },
      "listOfImageIdToInclude_windows": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of VM images that have supported Windows OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      },
      "listOfImageIdToInclude_linux": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of VM images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": []
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "LogAnalyticsExtension_Windows_HybridVM_Deploy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics_1')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "LogAnalyticsExtension_Windows_VM_Deploy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics_1')]"
          },
          "listOfImageIdToInclude": {
            "value": "[parameters('listOfImageIdToInclude_windows')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "LogAnalyticsExtension_Linux_HybridVM_Deploy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics_1')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "LogAnalyticsExtension_Linux_VM_Deploy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77",
        "parameters": {
          "logAnalytics": {
            "value": "[parameters('logAnalytics_1')]"
          },
          "listOfImageIdToInclude": {
            "value": "[parameters('listOfImageIdToInclude_linux')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "DependencyAgentExtension_Windows_HybridVM_Deploy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4"
      },
      {
        "policyDefinitionReferenceId": "DependencyAgentExtension_Windows_VM_Deploy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04",
        "parameters": {
          "listOfImageIdToInclude": {
            "value": "[parameters('listOfImageIdToInclude_windows')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "DependencyAgentExtension_Linux_HybridVM_Deploy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/deacecc0-9f84-44d2-bb82-46f32d766d43"
      },
      {
        "policyDefinitionReferenceId": "DependencyAgentExtension_Linux_VM_Deploy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee",
        "parameters": {
          "listOfImageIdToInclude": {
            "value": "[parameters('listOfImageIdToInclude_linux')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "LogAnalytics_OSImage_Audit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50",
        "parameters": {
          "listOfImageIdToInclude_windows": {
            "value": "[parameters('listOfImageIdToInclude_windows')]"
          },
          "listOfImageIdToInclude_linux": {
            "value": "[parameters('listOfImageIdToInclude_linux')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "DependencyAgent_OSImage_Audit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07",
        "parameters": {
          "listOfImageIdToInclude_windows": {
            "value": "[parameters('listOfImageIdToInclude_windows')]"
          },
          "listOfImageIdToInclude_linux": {
            "value": "[parameters('listOfImageIdToInclude_linux')]"
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "55f3eceb-5573-4f18-9695-226972c6d74a"
}
BuiltIn Monitoring False False n/a n/a true 1 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Deploy-VM-Monitoring)
{
  "properties": {
    "displayName": "FedRAMP High",
    "policyType": "BuiltIn",
    "description": "This initiative includes policies that address a subset of FedRAMP High controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/fedramph-initiative.",
    "metadata": {
      "version": "5.0.0",
      "category": "Regulatory Compliance"
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating guest configuration policies",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine; for more information, visit https://aka.ms/policy-pricing"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40": {
        "type": "String",
        "metadata": {
          "displayName": "Status if Windows Defender is not available on machine",
          "description": "Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value to 'Non-Compliant' shows machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) as non-compliant. Setting this value to 'Compliant' shows these machines as compliant."
        },
        "allowedValues": [
          "Compliant",
          "Non-Compliant"
        ],
        "defaultValue": "Compliant"
      },
      "MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum TLS version for Windows web servers",
          "description": "Windows web servers with lower TLS versions will be assessed as non-compliant"
        },
        "allowedValues": [
          "1.1",
          "1.2"
        ],
        "defaultValue": "1.2"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for resource logs"
        },
        "defaultValue": "365"
      },
      "effect-febd0533-8e55-448f-b837-bd0e06f16469": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed images",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces excluded from evaluation of Kubernetes cluster policies in this initiative",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces included for evaluation of Kubernetes cluster policies in this initiative",
          "description": "List of Kubernetes namespaces to (only) include for policy evaluation; an empty list will result in policies evaluated on all resources in all namespaces"
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector for resources included for evaluation of Kubernetes cluster policies in this initiative",
          "description": "Label query to select Kubernetes resources to include for policy evaluation; an empty label selector will result in policies evaluated on all Kubernetes resources"
        },
        "defaultValue": {}
      },
      "allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469": {
        "type": "String",
        "metadata": {
          "displayName": "Allowed container images for Kubernetes clusters",
          "description": "Regular expression used to match allowed container images in a Kubernetes cluster; Ex: allow any Azure Container Registry image by matching partial path: ^.+azurecr.io/.+$"
        },
        "defaultValue": "^(.+){0}$"
      },
      "effect-95edb821-ddaf-4404-9732-666045e056b4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster should not allow privileged containers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedContainers-95edb821-ddaf-4404-9732-666045e056b4": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes containers excluded from evaluation of policy: Kubernetes cluster should not allow privileged containers",
          "description": "The list of InitContainers and Containers to exclude from policy evaluation. The list should use the container name. Use an empty list to apply this policy to all containers in all namespaces."
        },
        "defaultValue": []
      },
      "effect-440b515e-a580-421e-abeb-b159a61ddcbc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only listen on allowed ports",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedContainerPortsList-440b515e-a580-421e-abeb-b159a61ddcbc": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed listener ports for Kubernetes cluster containers",
          "description": "List of container ports on which Kubernetes cluster containers are allowed to listen"
        },
        "defaultValue": []
      },
      "effect-233a2a17-77ca-4fb1-9b6b-69223d272a44": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster services should listen only on allowed ports",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedServicePortsList-233a2a17-77ca-4fb1-9b6b-69223d272a44": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed listener ports for Kubernetes cluster services",
          "description": "The list of ports on which Kubernetes cluster services are allowed to listen"
        },
        "defaultValue": []
      },
      "effect-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum allowed CPU units for containers in Kubernetes clusters",
          "description": "Ex: 200m; for more information, visit https://aka.ms/k8s-policy-pod-limits"
        },
        "defaultValue": "0"
      },
      "memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum allowed memory (bytes) for a container in Kubernetes clusters",
          "description": "Ex: 1Gi; for more information, visit https://aka.ms/k8s-policy-pod-limits"
        },
        "defaultValue": "0"
      },
      "effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pods and containers should only run with approved user and group IDs",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Run as user rule for Kubernetes containers",
          "description": "The 'RunAsUser' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MustRunAsNonRoot",
          "RunAsAny"
        ],
        "defaultValue": "MustRunAsNonRoot"
      },
      "runAsUserRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed user ID ranges for Kubernetes containers",
          "description": "User ID ranges that are allowed for containers to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Run as group rule for Kubernetes containers",
          "description": "The 'RunAsGroup' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "runAsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed group ID ranges for Kubernetes containers",
          "description": "Group ID ranges that are allowed for containers to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Supplemental group rule for Kubernetes containers",
          "description": "The 'SupplementalGroups' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "supplementalGroupsRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed supplemental group ID ranges for Kubernetes containers",
          "description": "Supplemental group ID ranges that are allowed for containers to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "File system group rule for Kubernetes containers",
          "description": "The 'FSGroup' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "fsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed file system group ID ranges for Kubernetes cluster pods",
          "description": "File system group ranges that are allowed for pods to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes clusters should not allow container privilege escalation",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should not share host process ID or host IPC namespace",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-df49d893-a74c-421d-bc95-c663042e5b80": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should run with a read only root file system",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes clusters should be accessible only over HTTPS",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed capabilities",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "Array",
        "metadata": {
          "displayName": "List of capabilities that are allowed to be added to a Kubernetes cluster container",
          "description": "Use an empty list as input to block everything"
        },
        "defaultValue": []
      },
      "requiredDropCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "Array",
        "metadata": {
          "displayName": "The list of capabilities that must be dropped by a Kubernetes cluster container",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": []
      },
      "effect-511f5417-5d12-434d-ab2e-816901e72a5e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed AppArmor profiles",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedProfiles-511f5417-5d12-434d-ab2e-816901e72a5e": {
        "type": "Array",
        "metadata": {
          "displayName": "The list of AppArmor profiles that containers are allowed to use",
          "description": "Ex: 'runtime/default;docker/default'; use an empty list as input to block everything; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": []
      },
      "effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pods should only use approved host network and port range",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Allow host network usage for Kubernetes cluster pods",
          "description": "Set this value to true if pod is allowed to use host network, otherwise set to false; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": false
      },
      "minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Integer",
        "metadata": {
          "displayName": "Minimum value in the allowable host port range that Kubernetes cluster pods can use in the host network namespace",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": 0
      },
      "maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Integer",
        "metadata": {
          "displayName": "Maximum value in the allowable host port range that Kubernetes cluster pods can use in the host network namespace",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": 0
      },
      "effect-098fc59e-46c7-4d99-9b16-64990e543d75": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pod hostPath volumes should only use allowed host paths",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedHostPaths-098fc59e-46c7-4d99-9b16-64990e543d75": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed host paths for pod hostPath volumes to use",
          "description": "Use an empty paths list to block all host paths; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "paths": []
        }
      },
      "resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6": {
        "type": "String",
        "metadata": {
          "displayName": "Name of the resource group for Network Watcher",
          "description": "Name of the resource group where Network Watchers are located, Ex: NetworkWatcherRG"
        },
        "defaultValue": "NetworkWatcherRG"
      },
      "includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Include AKS clusters when auditing if virtual machine scale set diagnostic logs are enabled",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": false
      },
      "setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9": {
        "type": "String",
        "metadata": {
          "displayName": "Required auditing setting for SQL servers"
        },
        "allowedValues": [
          "enabled",
          "disabled"
        ],
        "defaultValue": "enabled"
      },
      "evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b": {
        "type": "Array",
        "metadata": {
          "displayName": "API Management SKUs that should use a virtual network",
          "description": "List of API Management SKUs against which this policy will be evaluated"
        },
        "allowedValues": [
          "Developer",
          "Basic",
          "Standard",
          "Premium",
          "Consumption"
        ],
        "defaultValue": [
          "Developer",
          "Premium"
        ]
      },
      "effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Service Fabric clusters should only use Azure Active Directory for client authentication",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-71ef260a-8f18-47b7-abcb-62d0673d94dc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should have local authentication methods disabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Azure Front Door Service service",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Application Gateway",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cosmos DB accounts should have firewall rules",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d9da03a1-f3c3-412a-9709-947156872263": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-617c02be-7f02-4efd-8836-3180d47b6c68": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key vaults should have purge protection enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key vaults should have soft delete enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "maximumValidityInMonths-0a075868-4c26-42ef-914c-5bc007359560": {
        "type": "Integer",
        "metadata": {
          "displayName": "Maximum validity (months) for Key Vault certificates",
          "description": "The limit for how long a Key Vault certificate may be valid; Azure best practices recommend against certificates with lengthy validity periods"
        },
        "defaultValue": 12
      },
      "effect-0a075868-4c26-42ef-914c-5bc007359560": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Certificates should have the specified maximum validity period",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-98728c90-32c7-4049-8429-847dc0f4fe37": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key Vault secrets should have an expiration date",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key Vault keys should have an expiration date",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Double encryption should be enabled on Azure Data Explorer",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-c349d81b-9985-44ae-a8da-ff98d108ede8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Data Box jobs should enable double encryption for data at rest on the device",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "supportedSKUs-c349d81b-9985-44ae-a8da-ff98d108ede8": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Data Box SKUs that support software-based double encryption",
          "description": "The list of Azure Data Box SKUs that support software-based double encryption"
        },
        "allowedValues": [
          "DataBox",
          "DataBoxHeavy"
        ],
        "defaultValue": [
          "DataBox",
          "DataBoxHeavy"
        ]
      },
      "effect-3657f5a0-770e-44a3-b44e-9431ba1e9735": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Automation account variables should be encrypted",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Stack Edge devices should use double-encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-ea0dfaed-95fb-448c-934e-d6e713ce393d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-3a58212a-c829-4f13-9872-6371df2fd0b4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Infrastructure encryption should be enabled for Azure Database for MySQL servers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-24fba194-95d6-48c0-aea7-f65bf859c598": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should have infrastructure encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-f4b53539-8df9-40e4-86c6-6b607703bd4e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Disk encryption should be enabled on Azure Data Explorer",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-41425d9f-d1a5-499a-9932-f8ed8453932c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-fc4d8e41-e223-45ea-9bf5-eada37891d87": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Virtual machines and virtual machine scale sets should have encryption at host enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-86efb160-8de7-451d-bc08-5d475b0aadae": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "supportedSKUs-86efb160-8de7-451d-bc08-5d475b0aadae": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Data Box SKUs that support customer-managed key encryption key",
          "description": "The list of Azure Data Box SKUs that support customer-managed key encryption key"
        },
        "allowedValues": [
          "DataBox",
          "DataBoxHeavy"
        ],
        "defaultValue": [
          "DataBox",
          "DataBoxHeavy"
        ]
      },
      "effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure data factories should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-64d314f6-6062-4780-a861-c23e8951bee5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure HDInsight clusters should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure HDInsight clusters should use encryption at host to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-fa298e57-9444-42ba-bf04-86e8470e32c7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should enable data encryption with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Machine Learning workspaces should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-81e74cea-30fd-40d5-802f-d72103c2aaaa": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Data Explorer encryption at rest should use a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Container Instance container group should use customer-managed key for encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "effect-47031206-ce96-41f8-861b-6a915f3de284": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Stream Analytics jobs should use customer-managed keys to encrypt data",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-51522a96-0869-4791-82f3-981000c2c67f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Bot Service should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-b5ec538c-daa0-4006-8596-35468b9148e8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account encryption scopes should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-970f84d8-71b6-4091-9979-ace7e3fb6dbb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: HPC Cache accounts should use customer-managed key for encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Automation accounts should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2e94d99a-8a36-4563-bc77-810d8893b671": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "enableDoubleEncryption-2e94d99a-8a36-4563-bc77-810d8893b671": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Require that double encryption is enabled on Recovery Services vaults for Backup",
          "description": "Check if double encryption is enabled on Recovery Services vaults for Backup; for more information, visit https://aka.ms/ab-infraencryption"
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": true
      },
      "effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Logic Apps Integration Service Environment should be encrypted with customer-managed keys",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Batch account should use customer-managed keys to encrypt data",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1f68a601-6e6d-4e42-babf-3f643a047ea2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Monitor Logs clusters should be encrypted with customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-f7d52b2d-e161-4dfa-a82b-55e564167385": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Synapse workspaces should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ca91455f-eace-4f96-be59-e6e2c35b4816": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Managed disks should be double encrypted with both platform-managed and customer-managed keys",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-702dd420-7fcc-42c5-afe8-4026edd20fe0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: OS and data disks should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Only secure connections to your Azure Cache for Redis should be enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-404c3081-a854-4457-ae30-26a93ef643f9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Secure transfer to storage accounts should be enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d0793b48-0edc-4296-a390-4c75d1bdfd71": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should not allow unrestricted network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-7d092e0a-7acd-40d2-a975-dca21cae48c4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cache for Redis should reside within a virtual network",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access using virtual network rules",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-34c877ad-507e-4c82-993e-3452a6e0ad3c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-55615ac9-af46-4a59-874e-391cc3dfb490": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Key Vault should disable public network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1b8ca024-1d5c-4dec-8995-b1a932b41780": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access on Azure SQL Database should be disabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-037eea7a-bd0a-46c5-9a66-03aea78705d3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should restrict network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-53503636-bcc9-4748-9663-5348217f160f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure SignalR Service should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-40cec1dd-a100-4920-b15b-3024fe8901ab": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Machine Learning workspaces should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2154edb9-244f-4741-9970-660785bccdaa": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: VM Image Builder templates should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should disable public network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-5f0bc445-3935-4915-9981-011aa2b46147": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Private endpoint should be configured for Key Vault",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-af35e2a4-ef96-44e7-a9ae-853dd97032c4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Spring Cloud should use network injection",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Spring Cloud SKUs that should use network injection",
          "description": "List of Azure Spring Cloud SKUs against which this policy will be evaluated"
        },
        "allowedValues": [
          "Standard"
        ],
        "defaultValue": [
          "Standard"
        ]
      },
      "effect-a049bf77-880b-470f-ba6d-9f21c530cf83": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cognitive Search service should use a SKU that supports private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-52630df9-ca7e-442b-853b-c6ce548b31a2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Web PubSub Service should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account public access should be disallowed",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-ee980b6d-0eca-4501-8d54-f6290fd512c3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cognitive Search services should disable public network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Virtual machines should be migrated to new Azure Resource Manager resources",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should be migrated to new Azure Resource Manager resources",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability assessment should be enabled on SQL Managed Instance",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vulnerabilityAssessmentOnServerMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability assessment should be enabled on your SQL servers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vulnerabilityAssessmentOnVirtualMachinesEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: A vulnerability assessment solution should be enabled on your virtual machines",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "geoRedundancyEnabledForStorageAccountsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Geo-redundant storage should be enabled for Storage Accounts",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "geoRedundancyEnabledForAzureDatabaseForMariaDBEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for MariaDB",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "geoRedundancyEnabledForAzureDatabaseForMySQLEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for MySQL",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for PostgreSQL",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "adaptiveNetworkHardeningsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Adaptive network hardening recommendations should be applied on internet facing virtual machines",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application should only be accessible over HTTPS",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "functionAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Function App should only be accessible over HTTPS",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with write permissions should be removed from your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with read permissions should be removed from your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with owner permissions should be removed from your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Deprecated accounts with owner permissions should be removed from your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveDeprecatedAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Deprecated accounts should be removed from your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppRestrictCORSAccessMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: CORS should not allow every resource to access your Web Applications",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vmssSystemUpdatesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForReadPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled on accounts with read permissions on your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled on accounts with owner permissions on your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForWritePermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled accounts with write permissions on your subscription",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Long-term geo-redundant backup should be enabled for Azure SQL Databases",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "logAnalyticsWorkspaceIdForVMs": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Log Analytics Workspace Id that VMs should be configured for",
          "description": "This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured for.",
          "deprecated": true
        },
        "defaultValue": ""
      },
      "listOfResourceTypes": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: List of resource types that should have resource logs enabled",
          "deprecated": true
        },
        "allowedValues": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ],
        "defaultValue": []
      },
      "membersToExcludeInAdministratorsLocalGroup": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Members that should be excluded in the Administrators local group",
          "description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2",
          "deprecated": true
        },
        "defaultValue": ""
      },
      "membersToIncludeInAdministratorsLocalGroup": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Members to be included in the Administrators local group",
          "description": "A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2",
          "deprecated": true
        },
        "defaultValue": ""
      },
      "listOfAllowedLocationsForResourcesAndResourceGroups": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: Allowed locations for resources and resource groups",
          "description": "This policy enables you to restrict the locations your organization can create resource groups in or deploy resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.",
          "strongType": "location",
          "deprecated": true
        },
        "defaultValue": []
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "72650e9f-97bc-4b2a-ab5f-9781a9fcecbc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "fc9b3da7-8347-4380-8e70-0a0361d8dedd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "bed48b13-6647-468e-aa2f-1af1d3f4dd40",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "NotAvailableMachineState": {
            "value": "[parameters('NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-3",
          "NIST_SP_800-53_R4_SI-3",
          "NIST_SP_800-53_R4_SI-3(1)",
          "NIST_SP_800-53_R4_SI-16"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditLinuxVmPasswdFilePermissions",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmShouldNotAllowPrevious24Passwords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da0f98fe-a24b-4ad5-af69-bd0400233661",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmMaximumPasswordAge70Days",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ceb8dc2-559c-478b-a15b-733fbf1e3738",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MinimumTLSVersion": {
            "value": "[parameters('MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "630c64f9-8b6b-4c64-b511-6544ceff6fd6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmMinimumPasswordAge1Day",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237b38db-ca4d-4259-9e47-7882441ca2c0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmEnforcesPasswordComplexityRequirements",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmPasswordsMustBeAtLeast14Characters",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewAuditLinuxVmAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "34f95f76-5386-4de7-b824-0d8478470c9d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "428256e6-1fac-4f48-a757-df34c2b3336d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "febd0533-8e55-448f-b837-bd0e06f16469",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-febd0533-8e55-448f-b837-bd0e06f16469')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedContainerImagesRegex": {
            "value": "[parameters('allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "95edb821-ddaf-4404-9732-666045e056b4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-95edb821-ddaf-4404-9732-666045e056b4')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "excludedContainers": {
            "value": "[parameters('excludedContainers-95edb821-ddaf-4404-9732-666045e056b4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "440b515e-a580-421e-abeb-b159a61ddcbc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-440b515e-a580-421e-abeb-b159a61ddcbc')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedContainerPortsList": {
            "value": "[parameters('allowedContainerPortsList-440b515e-a580-421e-abeb-b159a61ddcbc')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "233a2a17-77ca-4fb1-9b6b-69223d272a44",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-233a2a17-77ca-4fb1-9b6b-69223d272a44')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedServicePortsList": {
            "value": "[parameters('allowedServicePortsList-233a2a17-77ca-4fb1-9b6b-69223d272a44')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "e345eecc-fa47-480f-9e88-67dcc122b164",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "cpuLimit": {
            "value": "[parameters('cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          },
          "memoryLimit": {
            "value": "[parameters('memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "f06ddb64-5fa3-4b77-b166-acb36f7f6042",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "runAsUserRule": {
            "value": "[parameters('runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "runAsUserRanges": {
            "value": "[parameters('runAsUserRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "runAsGroupRule": {
            "value": "[parameters('runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "runAsGroupRanges": {
            "value": "[parameters('runAsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "supplementalGroupsRule": {
            "value": "[parameters('supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "supplementalGroupsRanges": {
            "value": "[parameters('supplementalGroupsRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "fsGroupRule": {
            "value": "[parameters('fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "fsGroupRanges": {
            "value": "[parameters('fsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "df49d893-a74c-421d-bc95-c663042e5b80",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-df49d893-a74c-421d-bc95-c663042e5b80')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedCapabilities": {
            "value": "[parameters('allowedCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          },
          "requiredDropCapabilities": {
            "value": "[parameters('requiredDropCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "511f5417-5d12-434d-ab2e-816901e72a5e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-511f5417-5d12-434d-ab2e-816901e72a5e')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedProfiles": {
            "value": "[parameters('allowedProfiles-511f5417-5d12-434d-ab2e-816901e72a5e')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowHostNetwork": {
            "value": "[parameters('allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "minPort": {
            "value": "[parameters('minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "maxPort": {
            "value": "[parameters('maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "098fc59e-46c7-4d99-9b16-64990e543d75",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-098fc59e-46c7-4d99-9b16-64990e543d75')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedHostPaths": {
            "value": "[parameters('allowedHostPaths-098fc59e-46c7-4d99-9b16-64990e543d75')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "parameters": {
          "resourceGroupName": {
            "value": "[parameters('resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "7c1b1214-f927-48bf-8882-84f0af6588b1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1",
        "parameters": {
          "includeAKSClusters": {
            "value": "[parameters('includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditSqlServerLevelAuditingSettings",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {
          "setting": {
            "value": "[parameters('setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ef619a2c-cc4d-4d03-b2ba-8c94a834d85b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b",
        "parameters": {
          "evaluatedSkuNames": {
            "value": "[parameters('evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-2(1)",
          "NIST_SP_800-53_R4_AC-2(7)",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "71ef260a-8f18-47b7-abcb-62d0673d94dc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-71ef260a-8f18-47b7-abcb-62d0673d94dc')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-2(1)",
          "NIST_SP_800-53_R4_AC-2(7)",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "055aa869-bc98-4af8-bafc-23f1ab6ffe2c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-5",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-5",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "d9da03a1-f3c3-412a-9709-947156872263",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9da03a1-f3c3-412a-9709-947156872263",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d9da03a1-f3c3-412a-9709-947156872263')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "617c02be-7f02-4efd-8836-3180d47b6c68",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-617c02be-7f02-4efd-8836-3180d47b6c68')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "0a075868-4c26-42ef-914c-5bc007359560",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560",
        "parameters": {
          "maximumValidityInMonths": {
            "value": "[parameters('maximumValidityInMonths-0a075868-4c26-42ef-914c-5bc007359560')]"
          },
          "effect": {
            "value": "[parameters('effect-0a075868-4c26-42ef-914c-5bc007359560')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "98728c90-32c7-4049-8429-847dc0f4fe37",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-98728c90-32c7-4049-8429-847dc0f4fe37')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ec068d99-e9c7-401f-8cef-5bdde4e6ccf1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c349d81b-9985-44ae-a8da-ff98d108ede8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c349d81b-9985-44ae-a8da-ff98d108ede8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c349d81b-9985-44ae-a8da-ff98d108ede8')]"
          },
          "supportedSKUs": {
            "value": "[parameters('supportedSKUs-c349d81b-9985-44ae-a8da-ff98d108ede8')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3657f5a0-770e-44a3-b44e-9431ba1e9735')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b4ac1030-89c5-4697-8e00-28b5ba6a8811",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4ac1030-89c5-4697-8e00-28b5ba6a8811",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ea0dfaed-95fb-448c-934e-d6e713ce393d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea0dfaed-95fb-448c-934e-d6e713ce393d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ea0dfaed-95fb-448c-934e-d6e713ce393d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "3a58212a-c829-4f13-9872-6371df2fd0b4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3a58212a-c829-4f13-9872-6371df2fd0b4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "24fba194-95d6-48c0-aea7-f65bf859c598",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/24fba194-95d6-48c0-aea7-f65bf859c598",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-24fba194-95d6-48c0-aea7-f65bf859c598')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4733ea7b-a883-42fe-8cac-97454c2a9e4a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "f4b53539-8df9-40e4-86c6-6b607703bd4e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f4b53539-8df9-40e4-86c6-6b607703bd4e')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "41425d9f-d1a5-499a-9932-f8ed8453932c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-41425d9f-d1a5-499a-9932-f8ed8453932c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "fc4d8e41-e223-45ea-9bf5-eada37891d87",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fc4d8e41-e223-45ea-9bf5-eada37891d87')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "86efb160-8de7-451d-bc08-5d475b0aadae",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-86efb160-8de7-451d-bc08-5d475b0aadae')]"
          },
          "supportedSKUs": {
            "value": "[parameters('supportedSKUs-86efb160-8de7-451d-bc08-5d475b0aadae')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "4ec52d6d-beb7-40c4-9a9e-fe753254690e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "64d314f6-6062-4780-a861-c23e8951bee5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64d314f6-6062-4780-a861-c23e8951bee5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-64d314f6-6062-4780-a861-c23e8951bee5')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "fa298e57-9444-42ba-bf04-86e8470e32c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa298e57-9444-42ba-bf04-86e8470e32c7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fa298e57-9444-42ba-bf04-86e8470e32c7')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "67121cc7-ff39-4ab8-b7e3-95b84dab487d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1f905d99-2ab7-462c-a6b0-f709acca6c8f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ba769a63-b8cc-4b2d-abf6-ac33c7204be8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "81e74cea-30fd-40d5-802f-d72103c2aaaa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-81e74cea-30fd-40d5-802f-d72103c2aaaa')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "0aa61e00-0a01-4a3c-9945-e93cffedf0e6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "47031206-ce96-41f8-861b-6a915f3de284",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47031206-ce96-41f8-861b-6a915f3de284",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-47031206-ce96-41f8-861b-6a915f3de284')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "87ba29ef-1ab3-4d82-b763-87fcd4f531f7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "51522a96-0869-4791-82f3-981000c2c67f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-51522a96-0869-4791-82f3-981000c2c67f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "b5ec538c-daa0-4006-8596-35468b9148e8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b5ec538c-daa0-4006-8596-35468b9148e8')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "970f84d8-71b6-4091-9979-ace7e3fb6dbb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/970f84d8-71b6-4091-9979-ace7e3fb6dbb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-970f84d8-71b6-4091-9979-ace7e3fb6dbb')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "56a5ee18-2ae6-4810-86f7-18e39ce5629b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "2e94d99a-8a36-4563-bc77-810d8893b671",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2e94d99a-8a36-4563-bc77-810d8893b671')]"
          },
          "enableDoubleEncryption": {
            "value": "[parameters('enableDoubleEncryption-2e94d99a-8a36-4563-bc77-810d8893b671')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "99e9ccd8-3db9-4592-b0d1-14b1715a4d8a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1f68a601-6e6d-4e42-babf-3f643a047ea2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f68a601-6e6d-4e42-babf-3f643a047ea2",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1f68a601-6e6d-4e42-babf-3f643a047ea2')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "f7d52b2d-e161-4dfa-a82b-55e564167385",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f7d52b2d-e161-4dfa-a82b-55e564167385')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "7d7be79c-23ba-4033-84dd-45e2a5ccdd67",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ca91455f-eace-4f96-be59-e6e2c35b4816",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ca91455f-eace-4f96-be59-e6e2c35b4816')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "702dd420-7fcc-42c5-afe8-4026edd20fe0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-702dd420-7fcc-42c5-afe8-4026edd20fe0')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "OnlySecureConnectionsToYourRedisCacheShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditSecureTransferToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-404c3081-a854-4457-ae30-26a93ef643f9')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "d0793b48-0edc-4296-a390-4c75d1bdfd71",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d0793b48-0edc-4296-a390-4c75d1bdfd71')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7d092e0a-7acd-40d2-a975-dca21cae48c4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7d092e0a-7acd-40d2-a975-dca21cae48c4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditUnrestrictedNetworkAccessToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-34c877ad-507e-4c82-993e-3452a6e0ad3c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "55615ac9-af46-4a59-874e-391cc3dfb490",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-55615ac9-af46-4a59-874e-391cc3dfb490')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1b8ca024-1d5c-4dec-8995-b1a932b41780",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1b8ca024-1d5c-4dec-8995-b1a932b41780')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "037eea7a-bd0a-46c5-9a66-03aea78705d3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-037eea7a-bd0a-46c5-9a66-03aea78705d3')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "53503636-bcc9-4748-9663-5348217f160f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-53503636-bcc9-4748-9663-5348217f160f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "40cec1dd-a100-4920-b15b-3024fe8901ab",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-40cec1dd-a100-4920-b15b-3024fe8901ab')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "2154edb9-244f-4741-9970-660785bccdaa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2154edb9-244f-4741-9970-660785bccdaa')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "5f0bc445-3935-4915-9981-011aa2b46147",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5f0bc445-3935-4915-9981-011aa2b46147')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "af35e2a4-ef96-44e7-a9ae-853dd97032c4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-af35e2a4-ef96-44e7-a9ae-853dd97032c4')]"
          },
          "evaluatedSkuNames": {
            "value": "[parameters('evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "a049bf77-880b-470f-ba6d-9f21c530cf83",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a049bf77-880b-470f-ba6d-9f21c530cf83')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "52630df9-ca7e-442b-853b-c6ce548b31a2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/52630df9-ca7e-442b-853b-c6ce548b31a2",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-52630df9-ca7e-442b-853b-c6ce548b31a2')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ee980b6d-0eca-4501-8d54-f6290fd512c3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ee980b6d-0eca-4501-8d54-f6290fd512c3')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "b52376f7-9612-48a1-81cd-1ffe4b61032c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveDeprecatedAccountMonitoringEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-2(1)",
          "NIST_SP_800-53_R4_AC-2(7)",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppRestrictCORSAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {
          "effect": {
            "value": "[parameters('webAppRestrictCORSAccessMonitoringEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "adaptiveNetworkHardeningsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {
          "effect": {
            "value": "[parameters('adaptiveNetworkHardeningsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "thereShouldBeMoreThanOneOwnerAssignedToYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "aMaximumOf3OwnersShouldBeDesignatedForYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-6",
          "NIST_SP_800-53_R4_AC-6(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "advancedDataSecurityShouldBeEnabledOnYourManagedInstances",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "remoteDebuggingShouldBeTurnedOffForFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "advancedDataSecurityShouldBeEnabledOnYourSqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "89099bee-89e0-4b26-a5f4-165451757743",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_CM-7",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SC-3",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-3",
          "NIST_SP_800-53_R4_SI-3(1)",
          "NIST_SP_800-53_R4_SI-4",
          "NIST_SP_800-53_R4_SI-16"
        ]
      },
      {
        "policyDefinitionReferenceId": "adaptiveApplicationControlsShouldBeEnabledOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-7",
          "NIST_SP_800-53_R4_CM-7(2)",
          "NIST_SP_800-53_R4_CM-7(5)",
          "NIST_SP_800-53_R4_CM-10",
          "NIST_SP_800-53_R4_CM-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0",
        "parameters": {
          "effect": {
            "value": "[parameters('geoRedundancyEnabledForAzureDatabaseForMariaDBEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6",
          "NIST_SP_800-53_R4_CP-6(1)",
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditVirtualMachinesWithoutDisasterRecoveryConfigured",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "013e242c-8828-4970-87b3-ab247555486d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {
          "effect": {
            "value": "[parameters('identityEnableMFAForOwnerPermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForReadPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {
          "effect": {
            "value": "[parameters('identityEnableMFAForReadPermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-2(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "6646a0bd-e110-40ca-bb97-84fcee63c414",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(7)",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "dDoSProtectionStandardShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {
          "effect": {
            "value": "[parameters('functionAppEnforceHttpsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "diskEncryptionShouldBeAppliedOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {
          "effect": {
            "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-3",
          "NIST_SP_800-53_R4_SI-3",
          "NIST_SP_800-53_R4_SI-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "justInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditUsageOfCustomRBACRules",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-2(7)",
          "NIST_SP_800-53_R4_AC-6",
          "NIST_SP_800-53_R4_AC-6(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "remoteDebuggingShouldBeTurnedOffForWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "123a3936-f020-408a-ba0c-47873faf1534",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-7",
          "NIST_SP_800-53_R4_CM-7(2)",
          "NIST_SP_800-53_R4_CM-7(5)",
          "NIST_SP_800-53_R4_CM-10",
          "NIST_SP_800-53_R4_CM-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430",
        "parameters": {
          "effect": {
            "value": "[parameters('geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6",
          "NIST_SP_800-53_R4_CP-6(1)",
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {
          "effect": {
            "value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "6e2593d9-add6-4083-9c9b-4b7d2188c899",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "previewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {
          "effect": {
            "value": "[parameters('webAppEnforceHttpsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "048248b0-55cd-46da-b1ff-39efd52db260",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "transparentDataEncryptionOnSqlDatabasesShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "monitorMissingEndpointProtectionInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-3",
          "NIST_SP_800-53_R4_SI-3",
          "NIST_SP_800-53_R4_SI-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "remoteDebuggingShouldBeTurnedOffForApiApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e6763cc-5078-4e64-889d-ff4d9a839047",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970",
        "parameters": {
          "effect": {
            "value": "[parameters('geoRedundancyEnabledForAzureDatabaseForMySQLEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6",
          "NIST_SP_800-53_R4_CP-6(1)",
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "2b9ad585-36bc-4615-b300-fd4435808332",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0b15565f-aa9e-48ba-8619-45960f2c314d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilitiesOnYourSqlDatabasesShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "apiAppShouldOnlyBeAccessibleOverHttps",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "systemUpdatesShouldBeInstalledOnYourMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "fc5e4038-4584-4632-8c85-c0448d374b2c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithReadPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveExternalAccountWithReadPermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "e71308d3-144b-4262-b144-efdc3cc90517",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "d62cfe2b-3ab0-4d41-980d-76803b58ca65",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentOnServerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {
          "effect": {
            "value": "[parameters('vulnerabilityAssessmentOnServerMonitoringEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "bd352bd5-2853-4985-bf0d-73806b4a5744",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-5",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {
          "effect": {
            "value": "[parameters('identityRemoveExternalAccountWithWritePermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "6581d072-105e-4418-827f-bd446d56421b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "a4fe33eb-e377-4efb-ab31-0784311bc499",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "VulnerabilityAssessmentshouldbeenabledonVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {
          "effect": {
            "value": "[parameters('vulnerabilityAssessmentOnVirtualMachinesEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "6fac406b-40ca-413b-bf8e-0bf964659c25",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "bb91dfba-c30d-4263-9add-9c2384e659a6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "a3a6ea0c-e018-4933-9ef0-5aaa1501449b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0a15ec92-a229-4763-bb14-0ea34a568f8d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ae89ebca-1c92-4898-ac2c-9f63decb045c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "d26f7642-7545-4e18-9b75-8c9bbdee3a9a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "e8cbc669-f12d-49eb-93e7-9273119e9933",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "83cef61d-dbd1-4b20-a4fc-5fbc7da10833",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "6ba6d016-e7c3-4842-b8f2-4992ebc0d72d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "22730e10-96f6-4aac-ad84-9383d35b5917",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "18adea5e-f416-4d0f-8aa8-d24321e3e274",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "0564d078-92f5-4f97-8398-b9f58a51f70b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "842c54e8-c2f9-4d79-ae8d-38d8b8019373",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentOnManagedInstanceMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {
          "effect": {
            "value": "[parameters('vulnerabilityAssessmentOnManagedInstanceMonitoringEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0a1302fb-a631-4106-9753-f3d494733990",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "8dfab9c4-fe7b-49ad-85e4-1e9be085358f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8dfab9c4-fe7b-49ad-85e4-1e9be085358f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "475aae12-b88a-4572-8b36-9b712b2b3a17",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0049a6b3-a662-4f3e-8635-39cf44ace45a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0049a6b3-a662-4f3e-8635-39cf44ace45a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "f9d614c5-c173-4d56-95a7-b4437057d193",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7595c971-233d-4bcf-bd18-596129188c49",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c3d20c29-b36d-48fe-808b-99a87530ad99",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "2f2ee1de-44aa-4762-b6bd-0893fc3f306d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "399b2637-a50f-4f95-96f8-3a145476eb15",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "bdc59948-5574-49b3-bb91-76b7c986428d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "04c4380f-3fae-46e8-96c9-30193528f602",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "295fc8b1-dc9f-4f53-9c61-3f313ceab40a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "fb74e86f-d351-4b8d-b034-93da7391c01f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb74e86f-d351-4b8d-b034-93da7391c01f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "e8eef0a8-67cf-4eb4-9386-14b0e78733d4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ca610c1d-041c-4332-9d88-7ed3094967c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "d9844e8a-1437-4aeb-a32c-0c992f056095",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "9830b652-8523-49cc-b1b3-e17dce1127ca",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4b90e17e-8448-49db-875e-bd83fb6f804f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "fb893a29-21bb-418c-a157-e99480ec364c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "a1ad735a-e96f-45d2-a7b2-9a4932cab7ec",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "7261b898-8a84-4db8-9e04-18527132abb3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "496223c3-ad65-4ecd-878a-bae78737e9ed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "eaebaea7-8013-4ceb-9d14-7eb32271373c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "0c192fe8-9cbb-4516-85b3-0ade8bd03886",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "5f0f936f-2f01-4bf5-b6be-d423792fa562",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "88999f4c-376a-45c8-bcb3-4058f713cf39",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "6edd7eda-6dd8-40f7-810d-67160c639cd9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7008174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "7698e800-9299-47a6-b3b6-5a0fee576eed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7238174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "74c3584d-afae-46f7-a20a-6f8adba71a16",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "0fda3595-9f2b-4592-8675-4231d6fa82fe",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fda3595-9f2b-4592-8675-4231d6fa82fe",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "cddd188c-4b82-4c48-a19d-ddf74ee66a01",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cddd188c-4b82-4c48-a19d-ddf74ee66a01",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "051cba44-2429-45b9-9649-46cec11c7119",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "8b0323be-cc25-4b61-935d-002c3798c6ea",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b0323be-cc25-4b61-935d-002c3798c6ea",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "f39f5f49-4abf-44de-8c70-0756997bfb51",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f39f5f49-4abf-44de-8c70-0756997bfb51",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "58440f8a-10c5-4151-bdce-dfbaad4a20b7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/58440f8a-10c5-4151-bdce-dfbaad4a20b7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7803067c-7d34-46e3-8c79-0ca68fc4036d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7803067c-7d34-46e3-8c79-0ca68fc4036d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b8564268-eb4a-4337-89be-a19db070c59d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b8564268-eb4a-4337-89be-a19db070c59d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "df39c015-56a4-45de-b4a3-efe77bed320d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df39c015-56a4-45de-b4a3-efe77bed320d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1c06e275-d63d-4540-b761-71f364c2111d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c06e275-d63d-4540-b761-71f364c2111d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1d320205-c6a1-4ac6-873d-46224024e8e2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d320205-c6a1-4ac6-873d-46224024e8e2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1ee56206-5dd1-42ab-b02d-8aae8b1634ce",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1ee56206-5dd1-42ab-b02d-8aae8b1634ce",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "72d11df1-dd8a-41f7-8925-b05b960ebafc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72d11df1-dd8a-41f7-8925-b05b960ebafc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "geoRedundantStorageShouldBeEnabledForStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b",
        "parameters": {
          "effect": {
            "value": "[parameters('geoRedundancyEnabledForStorageAccountsEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6",
          "NIST_SP_800-53_R4_CP-6(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "longtermGeoRedundantBackupEnabledAzureSQLDatabases",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570",
        "parameters": {
          "effect": {
            "value": "[parameters('longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6",
          "NIST_SP_800-53_R4_CP-6(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "991310cd-e9f3-47bc-b7b6-f57b557d07db",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "e2c1c086-2d84-4019-bff3-c44ccd95113c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "8c122334-9d20-4eb8-89ea-ac9a705b74ae",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "NIST_SP_800-53_R4_AC-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-1"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(11)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(12)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(13)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-3"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(21)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(21)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-5"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-7"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-8"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-10"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-11"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-12"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-12(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-14"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-18"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-18(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-18(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-18(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-18(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-18(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-18(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-18(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-18(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-19"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-19(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-19(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-20"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-20(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-20(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-20(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-20(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-21"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-22"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-1"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-2"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-3"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-4"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-1"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-2"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-3"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-4"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-5"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-7"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-8"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-9"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-9(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-9(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-10"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-11"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-12"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-12(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-12(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-12(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-1"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-2"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-3"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-3(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-3(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-5"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-6"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-7"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-8"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-9"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-1"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-3"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-3(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-3(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-4"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-6"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-7"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-7(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-7(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-9"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-10"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-10(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-10(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-11"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-1"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-3"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-4"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-6"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-7"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-7(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-7(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-8"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-8(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-8(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-9"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-9(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-9(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-9(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-10"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-10(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-10(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-10(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-10(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-1"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(11)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(12)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-3"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-4"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(11)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(13)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-6"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-7"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-1"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-2"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-3"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-5"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-6"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-7"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-8"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-9"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-9(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-9(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-1"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-2"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-3"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-4"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-4(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-4(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-5"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-6"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-1"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-2"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-3"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-4"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-5"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-5(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-6"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-7"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-1"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-2"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-3"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-4"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-5"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-6"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-6(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-6(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-8"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-9"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-10"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-11"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-12"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-13"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-13(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-13(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-13(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-13(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-13(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-13(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-14"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-14(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-14(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-15"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-15(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-15(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-16"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-17"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-18"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-1"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-2"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-4"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-8"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-1"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-2"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-3"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-4"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-5"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-6"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-7"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-8"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-1"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-2"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-3"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-1"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-2"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-3"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-5"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-8"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-10"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-10(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-10(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-12"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-15"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-16"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-17"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-1"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-2"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-3"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-4"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-5"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-6"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(12)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(13)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(18)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(18)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(20)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(20)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(21)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(21)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-8"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-10"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-12"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-12(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-12(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-12(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-12(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-12(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-13"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-15"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-17"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-18"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-19"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-20"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-21"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-22"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-23",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-23"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-23(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-23(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-24",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-24"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-28",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-28"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-28(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-28(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-39",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-39"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-1"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-2"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(11)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(14)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(16)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(16)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(18)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(18)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(19)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(19)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(20)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(20)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(22)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(22)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(23)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(23)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(24)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(24)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-5"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-6"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(14)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-8"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-10"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-11"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-12"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-16"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "d5264498-16f4-418a-b659-fa7ef418175f"
}
BuiltIn Regulatory Compliance False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "FedRAMP Moderate",
    "policyType": "BuiltIn",
    "description": "This initiative includes policies that address a subset of FedRAMP Moderate controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/fedrampm-initiative.",
    "metadata": {
      "version": "5.0.0",
      "category": "Regulatory Compliance"
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating guest configuration policies",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine; for more information, visit https://aka.ms/policy-pricing"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40": {
        "type": "String",
        "metadata": {
          "displayName": "Status if Windows Defender is not available on machine",
          "description": "Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value to 'Non-Compliant' shows machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) as non-compliant. Setting this value to 'Compliant' shows these machines as compliant."
        },
        "allowedValues": [
          "Compliant",
          "Non-Compliant"
        ],
        "defaultValue": "Compliant"
      },
      "MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum TLS version for Windows web servers",
          "description": "Windows web servers with lower TLS versions will be assessed as non-compliant"
        },
        "allowedValues": [
          "1.1",
          "1.2"
        ],
        "defaultValue": "1.2"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for resource logs"
        },
        "defaultValue": "365"
      },
      "effect-febd0533-8e55-448f-b837-bd0e06f16469": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed images",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces excluded from evaluation of Kubernetes cluster policies in this initiative",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces included for evaluation of Kubernetes cluster policies in this initiative",
          "description": "List of Kubernetes namespaces to (only) include for policy evaluation; an empty list will result in policies evaluated on all resources in all namespaces"
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector for resources included for evaluation of Kubernetes cluster policies in this initiative",
          "description": "Label query to select Kubernetes resources to include for policy evaluation; an empty label selector will result in policies evaluated on all Kubernetes resources"
        },
        "defaultValue": {}
      },
      "allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469": {
        "type": "String",
        "metadata": {
          "displayName": "Allowed container images for Kubernetes clusters",
          "description": "Regular expression used to match allowed container images in a Kubernetes cluster; Ex: allow any Azure Container Registry image by matching partial path: ^.+azurecr.io/.+$"
        },
        "defaultValue": "^(.+){0}$"
      },
      "effect-95edb821-ddaf-4404-9732-666045e056b4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster should not allow privileged containers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedContainers-95edb821-ddaf-4404-9732-666045e056b4": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes containers excluded from evaluation of policy: Kubernetes cluster should not allow privileged containers",
          "description": "The list of InitContainers and Containers to exclude from policy evaluation. The list should use the container name. Use an empty list to apply this policy to all containers in all namespaces."
        },
        "defaultValue": []
      },
      "effect-440b515e-a580-421e-abeb-b159a61ddcbc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only listen on allowed ports",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedContainerPortsList-440b515e-a580-421e-abeb-b159a61ddcbc": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed listener ports for Kubernetes cluster containers",
          "description": "List of container ports on which Kubernetes cluster containers are allowed to listen"
        },
        "defaultValue": []
      },
      "effect-233a2a17-77ca-4fb1-9b6b-69223d272a44": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster services should listen only on allowed ports",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedServicePortsList-233a2a17-77ca-4fb1-9b6b-69223d272a44": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed listener ports for Kubernetes cluster services",
          "description": "The list of ports on which Kubernetes cluster services are allowed to listen"
        },
        "defaultValue": []
      },
      "effect-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum allowed CPU units for containers in Kubernetes clusters",
          "description": "Ex: 200m; for more information, visit https://aka.ms/k8s-policy-pod-limits"
        },
        "defaultValue": "0"
      },
      "memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum allowed memory (bytes) for a container in Kubernetes clusters",
          "description": "Ex: 1Gi; for more information, visit https://aka.ms/k8s-policy-pod-limits"
        },
        "defaultValue": "0"
      },
      "effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pods and containers should only run with approved user and group IDs",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Run as user rule for Kubernetes containers",
          "description": "The 'RunAsUser' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MustRunAsNonRoot",
          "RunAsAny"
        ],
        "defaultValue": "MustRunAsNonRoot"
      },
      "runAsUserRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed user ID ranges for Kubernetes containers",
          "description": "User ID ranges that are allowed for containers to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Run as group rule for Kubernetes containers",
          "description": "The 'RunAsGroup' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "runAsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed group ID ranges for Kubernetes containers",
          "description": "Group ID ranges that are allowed for containers to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Supplemental group rule for Kubernetes containers",
          "description": "The 'SupplementalGroups' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "supplementalGroupsRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed supplemental group ID ranges for Kubernetes containers",
          "description": "Supplemental group ID ranges that are allowed for containers to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "File system group rule for Kubernetes containers",
          "description": "The 'FSGroup' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "fsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed file system group ID ranges for Kubernetes cluster pods",
          "description": "File system group ranges that are allowed for pods to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes clusters should not allow container privilege escalation",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should not share host process ID or host IPC namespace",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-df49d893-a74c-421d-bc95-c663042e5b80": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should run with a read only root file system",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes clusters should be accessible only over HTTPS",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed capabilities",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "Array",
        "metadata": {
          "displayName": "List of capabilities that are allowed to be added to a Kubernetes cluster container",
          "description": "Use an empty list as input to block everything"
        },
        "defaultValue": []
      },
      "requiredDropCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "Array",
        "metadata": {
          "displayName": "The list of capabilities that must be dropped by a Kubernetes cluster container",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": []
      },
      "effect-511f5417-5d12-434d-ab2e-816901e72a5e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed AppArmor profiles",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedProfiles-511f5417-5d12-434d-ab2e-816901e72a5e": {
        "type": "Array",
        "metadata": {
          "displayName": "The list of AppArmor profiles that containers are allowed to use",
          "description": "Ex: 'runtime/default;docker/default'; use an empty list as input to block everything; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": []
      },
      "effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pods should only use approved host network and port range",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Allow host network usage for Kubernetes cluster pods",
          "description": "Set this value to true if pod is allowed to use host network, otherwise set to false; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": false
      },
      "minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Integer",
        "metadata": {
          "displayName": "Minimum value in the allowable host port range that Kubernetes cluster pods can use in the host network namespace",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": 0
      },
      "maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Integer",
        "metadata": {
          "displayName": "Maximum value in the allowable host port range that Kubernetes cluster pods can use in the host network namespace",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": 0
      },
      "effect-098fc59e-46c7-4d99-9b16-64990e543d75": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pod hostPath volumes should only use allowed host paths",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedHostPaths-098fc59e-46c7-4d99-9b16-64990e543d75": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed host paths for pod hostPath volumes to use",
          "description": "Use an empty paths list to block all host paths; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "paths": []
        }
      },
      "resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6": {
        "type": "String",
        "metadata": {
          "displayName": "Name of the resource group for Network Watcher",
          "description": "Name of the resource group where Network Watchers are located, Ex: NetworkWatcherRG"
        },
        "defaultValue": "NetworkWatcherRG"
      },
      "includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Include AKS clusters when auditing if virtual machine scale set diagnostic logs are enabled",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": false
      },
      "setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9": {
        "type": "String",
        "metadata": {
          "displayName": "Required auditing setting for SQL servers"
        },
        "allowedValues": [
          "enabled",
          "disabled"
        ],
        "defaultValue": "enabled"
      },
      "evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b": {
        "type": "Array",
        "metadata": {
          "displayName": "API Management SKUs that should use a virtual network",
          "description": "List of API Management SKUs against which this policy will be evaluated"
        },
        "allowedValues": [
          "Developer",
          "Basic",
          "Standard",
          "Premium",
          "Consumption"
        ],
        "defaultValue": [
          "Developer",
          "Premium"
        ]
      },
      "effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Service Fabric clusters should only use Azure Active Directory for client authentication",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-71ef260a-8f18-47b7-abcb-62d0673d94dc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should have local authentication methods disabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Azure Front Door Service service",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Application Gateway",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cosmos DB accounts should have firewall rules",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d9da03a1-f3c3-412a-9709-947156872263": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-617c02be-7f02-4efd-8836-3180d47b6c68": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key vaults should have purge protection enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key vaults should have soft delete enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "maximumValidityInMonths-0a075868-4c26-42ef-914c-5bc007359560": {
        "type": "Integer",
        "metadata": {
          "displayName": "Maximum validity (months) for Key Vault certificates",
          "description": "The limit for how long a Key Vault certificate may be valid; Azure best practices recommend against certificates with lengthy validity periods"
        },
        "defaultValue": 12
      },
      "effect-0a075868-4c26-42ef-914c-5bc007359560": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Certificates should have the specified maximum validity period",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-98728c90-32c7-4049-8429-847dc0f4fe37": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key Vault secrets should have an expiration date",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key Vault keys should have an expiration date",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Double encryption should be enabled on Azure Data Explorer",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-c349d81b-9985-44ae-a8da-ff98d108ede8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Data Box jobs should enable double encryption for data at rest on the device",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "supportedSKUs-c349d81b-9985-44ae-a8da-ff98d108ede8": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Data Box SKUs that support software-based double encryption",
          "description": "The list of Azure Data Box SKUs that support software-based double encryption"
        },
        "allowedValues": [
          "DataBox",
          "DataBoxHeavy"
        ],
        "defaultValue": [
          "DataBox",
          "DataBoxHeavy"
        ]
      },
      "effect-3657f5a0-770e-44a3-b44e-9431ba1e9735": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Automation account variables should be encrypted",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Stack Edge devices should use double-encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-ea0dfaed-95fb-448c-934e-d6e713ce393d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-3a58212a-c829-4f13-9872-6371df2fd0b4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Infrastructure encryption should be enabled for Azure Database for MySQL servers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-24fba194-95d6-48c0-aea7-f65bf859c598": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should have infrastructure encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-f4b53539-8df9-40e4-86c6-6b607703bd4e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Disk encryption should be enabled on Azure Data Explorer",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-41425d9f-d1a5-499a-9932-f8ed8453932c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-fc4d8e41-e223-45ea-9bf5-eada37891d87": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Virtual machines and virtual machine scale sets should have encryption at host enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-86efb160-8de7-451d-bc08-5d475b0aadae": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "supportedSKUs-86efb160-8de7-451d-bc08-5d475b0aadae": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Data Box SKUs that support customer-managed key encryption key",
          "description": "The list of Azure Data Box SKUs that support customer-managed key encryption key"
        },
        "allowedValues": [
          "DataBox",
          "DataBoxHeavy"
        ],
        "defaultValue": [
          "DataBox",
          "DataBoxHeavy"
        ]
      },
      "effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure data factories should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-64d314f6-6062-4780-a861-c23e8951bee5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure HDInsight clusters should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure HDInsight clusters should use encryption at host to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-fa298e57-9444-42ba-bf04-86e8470e32c7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should enable data encryption with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Machine Learning workspaces should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-81e74cea-30fd-40d5-802f-d72103c2aaaa": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Data Explorer encryption at rest should use a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Container Instance container group should use customer-managed key for encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "effect-47031206-ce96-41f8-861b-6a915f3de284": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Stream Analytics jobs should use customer-managed keys to encrypt data",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-51522a96-0869-4791-82f3-981000c2c67f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Bot Service should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-b5ec538c-daa0-4006-8596-35468b9148e8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account encryption scopes should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-970f84d8-71b6-4091-9979-ace7e3fb6dbb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: HPC Cache accounts should use customer-managed key for encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Automation accounts should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2e94d99a-8a36-4563-bc77-810d8893b671": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "enableDoubleEncryption-2e94d99a-8a36-4563-bc77-810d8893b671": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Require that double encryption is enabled on Recovery Services vaults for Backup",
          "description": "Check if double encryption is enabled on Recovery Services vaults for Backup; for more information, visit https://aka.ms/ab-infraencryption"
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": true
      },
      "effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Logic Apps Integration Service Environment should be encrypted with customer-managed keys",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Batch account should use customer-managed keys to encrypt data",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1f68a601-6e6d-4e42-babf-3f643a047ea2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Monitor Logs clusters should be encrypted with customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-f7d52b2d-e161-4dfa-a82b-55e564167385": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Synapse workspaces should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ca91455f-eace-4f96-be59-e6e2c35b4816": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Managed disks should be double encrypted with both platform-managed and customer-managed keys",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-702dd420-7fcc-42c5-afe8-4026edd20fe0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: OS and data disks should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Only secure connections to your Azure Cache for Redis should be enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-404c3081-a854-4457-ae30-26a93ef643f9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Secure transfer to storage accounts should be enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d0793b48-0edc-4296-a390-4c75d1bdfd71": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should not allow unrestricted network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-7d092e0a-7acd-40d2-a975-dca21cae48c4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cache for Redis should reside within a virtual network",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access using virtual network rules",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-34c877ad-507e-4c82-993e-3452a6e0ad3c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-55615ac9-af46-4a59-874e-391cc3dfb490": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Key Vault should disable public network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1b8ca024-1d5c-4dec-8995-b1a932b41780": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access on Azure SQL Database should be disabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-037eea7a-bd0a-46c5-9a66-03aea78705d3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should restrict network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-53503636-bcc9-4748-9663-5348217f160f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure SignalR Service should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-40cec1dd-a100-4920-b15b-3024fe8901ab": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Machine Learning workspaces should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2154edb9-244f-4741-9970-660785bccdaa": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: VM Image Builder templates should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should disable public network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-5f0bc445-3935-4915-9981-011aa2b46147": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Private endpoint should be configured for Key Vault",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-af35e2a4-ef96-44e7-a9ae-853dd97032c4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Spring Cloud should use network injection",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Spring Cloud SKUs that should use network injection",
          "description": "List of Azure Spring Cloud SKUs against which this policy will be evaluated"
        },
        "allowedValues": [
          "Standard"
        ],
        "defaultValue": [
          "Standard"
        ]
      },
      "effect-a049bf77-880b-470f-ba6d-9f21c530cf83": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cognitive Search service should use a SKU that supports private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-52630df9-ca7e-442b-853b-c6ce548b31a2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Web PubSub Service should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account public access should be disallowed",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-ee980b6d-0eca-4501-8d54-f6290fd512c3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cognitive Search services should disable public network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Virtual machines should be migrated to new Azure Resource Manager resources",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should be migrated to new Azure Resource Manager resources",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "logAnalyticsWorkspaceId": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Log Analytics workspace ID for VM agent reporting",
          "deprecated": true
        },
        "defaultValue": ""
      },
      "listOfResourceTypes": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: List of resource types that should have resource logs enabled",
          "deprecated": true
        },
        "allowedValues": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ],
        "defaultValue": []
      },
      "membersToExclude": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: List of users excluded from Windows VM Administrators group",
          "deprecated": true
        },
        "defaultValue": ""
      },
      "membersToInclude": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: List of users that must be included in Windows VM Administrators group",
          "deprecated": true
        },
        "defaultValue": ""
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "72650e9f-97bc-4b2a-ab5f-9781a9fcecbc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "fc9b3da7-8347-4380-8e70-0a0361d8dedd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "bed48b13-6647-468e-aa2f-1af1d3f4dd40",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "NotAvailableMachineState": {
            "value": "[parameters('NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SI-3",
          "NIST_SP_800-53_R4_SI-3(1)",
          "NIST_SP_800-53_R4_SI-16"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewuditWindowsVMsThatAllowReUseOfThePrevious24Passwords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da0f98fe-a24b-4ad5-af69-bd0400233661",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ceb8dc2-559c-478b-a15b-733fbf1e3738",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MinimumTLSVersion": {
            "value": "[parameters('MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "630c64f9-8b6b-4c64-b511-6544ceff6fd6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237b38db-ca4d-4259-9e47-7882441ca2c0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVMsThatHaveAccountsWithoutPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "34f95f76-5386-4de7-b824-0d8478470c9d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "428256e6-1fac-4f48-a757-df34c2b3336d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "febd0533-8e55-448f-b837-bd0e06f16469",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-febd0533-8e55-448f-b837-bd0e06f16469')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedContainerImagesRegex": {
            "value": "[parameters('allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "95edb821-ddaf-4404-9732-666045e056b4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-95edb821-ddaf-4404-9732-666045e056b4')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "excludedContainers": {
            "value": "[parameters('excludedContainers-95edb821-ddaf-4404-9732-666045e056b4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "440b515e-a580-421e-abeb-b159a61ddcbc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-440b515e-a580-421e-abeb-b159a61ddcbc')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedContainerPortsList": {
            "value": "[parameters('allowedContainerPortsList-440b515e-a580-421e-abeb-b159a61ddcbc')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "233a2a17-77ca-4fb1-9b6b-69223d272a44",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-233a2a17-77ca-4fb1-9b6b-69223d272a44')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedServicePortsList": {
            "value": "[parameters('allowedServicePortsList-233a2a17-77ca-4fb1-9b6b-69223d272a44')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "e345eecc-fa47-480f-9e88-67dcc122b164",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "cpuLimit": {
            "value": "[parameters('cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          },
          "memoryLimit": {
            "value": "[parameters('memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "f06ddb64-5fa3-4b77-b166-acb36f7f6042",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "runAsUserRule": {
            "value": "[parameters('runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "runAsUserRanges": {
            "value": "[parameters('runAsUserRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "runAsGroupRule": {
            "value": "[parameters('runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "runAsGroupRanges": {
            "value": "[parameters('runAsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "supplementalGroupsRule": {
            "value": "[parameters('supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "supplementalGroupsRanges": {
            "value": "[parameters('supplementalGroupsRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "fsGroupRule": {
            "value": "[parameters('fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "fsGroupRanges": {
            "value": "[parameters('fsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "df49d893-a74c-421d-bc95-c663042e5b80",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-df49d893-a74c-421d-bc95-c663042e5b80')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedCapabilities": {
            "value": "[parameters('allowedCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          },
          "requiredDropCapabilities": {
            "value": "[parameters('requiredDropCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "511f5417-5d12-434d-ab2e-816901e72a5e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-511f5417-5d12-434d-ab2e-816901e72a5e')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedProfiles": {
            "value": "[parameters('allowedProfiles-511f5417-5d12-434d-ab2e-816901e72a5e')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowHostNetwork": {
            "value": "[parameters('allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "minPort": {
            "value": "[parameters('minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "maxPort": {
            "value": "[parameters('maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "098fc59e-46c7-4d99-9b16-64990e543d75",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-098fc59e-46c7-4d99-9b16-64990e543d75')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedHostPaths": {
            "value": "[parameters('allowedHostPaths-098fc59e-46c7-4d99-9b16-64990e543d75')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "parameters": {
          "resourceGroupName": {
            "value": "[parameters('resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "7c1b1214-f927-48bf-8882-84f0af6588b1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1",
        "parameters": {
          "includeAKSClusters": {
            "value": "[parameters('includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSqlServerLevelAuditingSettings",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {
          "setting": {
            "value": "[parameters('setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ef619a2c-cc4d-4d03-b2ba-8c94a834d85b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b",
        "parameters": {
          "evaluatedSkuNames": {
            "value": "[parameters('evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ServiceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-2(1)",
          "NIST_SP_800-53_R4_AC-2(7)",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "71ef260a-8f18-47b7-abcb-62d0673d94dc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-71ef260a-8f18-47b7-abcb-62d0673d94dc')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-2(1)",
          "NIST_SP_800-53_R4_AC-2(7)",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "055aa869-bc98-4af8-bafc-23f1ab6ffe2c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-5",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-5",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "d9da03a1-f3c3-412a-9709-947156872263",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9da03a1-f3c3-412a-9709-947156872263",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d9da03a1-f3c3-412a-9709-947156872263')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "617c02be-7f02-4efd-8836-3180d47b6c68",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-617c02be-7f02-4efd-8836-3180d47b6c68')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "0a075868-4c26-42ef-914c-5bc007359560",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560",
        "parameters": {
          "maximumValidityInMonths": {
            "value": "[parameters('maximumValidityInMonths-0a075868-4c26-42ef-914c-5bc007359560')]"
          },
          "effect": {
            "value": "[parameters('effect-0a075868-4c26-42ef-914c-5bc007359560')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "98728c90-32c7-4049-8429-847dc0f4fe37",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-98728c90-32c7-4049-8429-847dc0f4fe37')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ec068d99-e9c7-401f-8cef-5bdde4e6ccf1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c349d81b-9985-44ae-a8da-ff98d108ede8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c349d81b-9985-44ae-a8da-ff98d108ede8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c349d81b-9985-44ae-a8da-ff98d108ede8')]"
          },
          "supportedSKUs": {
            "value": "[parameters('supportedSKUs-c349d81b-9985-44ae-a8da-ff98d108ede8')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3657f5a0-770e-44a3-b44e-9431ba1e9735')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b4ac1030-89c5-4697-8e00-28b5ba6a8811",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4ac1030-89c5-4697-8e00-28b5ba6a8811",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ea0dfaed-95fb-448c-934e-d6e713ce393d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea0dfaed-95fb-448c-934e-d6e713ce393d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ea0dfaed-95fb-448c-934e-d6e713ce393d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "3a58212a-c829-4f13-9872-6371df2fd0b4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3a58212a-c829-4f13-9872-6371df2fd0b4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "24fba194-95d6-48c0-aea7-f65bf859c598",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/24fba194-95d6-48c0-aea7-f65bf859c598",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-24fba194-95d6-48c0-aea7-f65bf859c598')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4733ea7b-a883-42fe-8cac-97454c2a9e4a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "f4b53539-8df9-40e4-86c6-6b607703bd4e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f4b53539-8df9-40e4-86c6-6b607703bd4e')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "41425d9f-d1a5-499a-9932-f8ed8453932c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-41425d9f-d1a5-499a-9932-f8ed8453932c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "fc4d8e41-e223-45ea-9bf5-eada37891d87",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fc4d8e41-e223-45ea-9bf5-eada37891d87')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "86efb160-8de7-451d-bc08-5d475b0aadae",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-86efb160-8de7-451d-bc08-5d475b0aadae')]"
          },
          "supportedSKUs": {
            "value": "[parameters('supportedSKUs-86efb160-8de7-451d-bc08-5d475b0aadae')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "4ec52d6d-beb7-40c4-9a9e-fe753254690e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "64d314f6-6062-4780-a861-c23e8951bee5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64d314f6-6062-4780-a861-c23e8951bee5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-64d314f6-6062-4780-a861-c23e8951bee5')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "fa298e57-9444-42ba-bf04-86e8470e32c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa298e57-9444-42ba-bf04-86e8470e32c7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fa298e57-9444-42ba-bf04-86e8470e32c7')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "67121cc7-ff39-4ab8-b7e3-95b84dab487d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1f905d99-2ab7-462c-a6b0-f709acca6c8f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ba769a63-b8cc-4b2d-abf6-ac33c7204be8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "81e74cea-30fd-40d5-802f-d72103c2aaaa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-81e74cea-30fd-40d5-802f-d72103c2aaaa')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "0aa61e00-0a01-4a3c-9945-e93cffedf0e6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "47031206-ce96-41f8-861b-6a915f3de284",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47031206-ce96-41f8-861b-6a915f3de284",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-47031206-ce96-41f8-861b-6a915f3de284')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "87ba29ef-1ab3-4d82-b763-87fcd4f531f7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "51522a96-0869-4791-82f3-981000c2c67f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-51522a96-0869-4791-82f3-981000c2c67f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "b5ec538c-daa0-4006-8596-35468b9148e8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b5ec538c-daa0-4006-8596-35468b9148e8')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "970f84d8-71b6-4091-9979-ace7e3fb6dbb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/970f84d8-71b6-4091-9979-ace7e3fb6dbb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-970f84d8-71b6-4091-9979-ace7e3fb6dbb')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "56a5ee18-2ae6-4810-86f7-18e39ce5629b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "2e94d99a-8a36-4563-bc77-810d8893b671",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2e94d99a-8a36-4563-bc77-810d8893b671')]"
          },
          "enableDoubleEncryption": {
            "value": "[parameters('enableDoubleEncryption-2e94d99a-8a36-4563-bc77-810d8893b671')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "99e9ccd8-3db9-4592-b0d1-14b1715a4d8a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1f68a601-6e6d-4e42-babf-3f643a047ea2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f68a601-6e6d-4e42-babf-3f643a047ea2",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1f68a601-6e6d-4e42-babf-3f643a047ea2')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "f7d52b2d-e161-4dfa-a82b-55e564167385",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f7d52b2d-e161-4dfa-a82b-55e564167385')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "7d7be79c-23ba-4033-84dd-45e2a5ccdd67",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ca91455f-eace-4f96-be59-e6e2c35b4816",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ca91455f-eace-4f96-be59-e6e2c35b4816')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "702dd420-7fcc-42c5-afe8-4026edd20fe0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-702dd420-7fcc-42c5-afe8-4026edd20fe0')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "OnlySecureConnectionsToYourRedisCacheShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSecureTransferToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-404c3081-a854-4457-ae30-26a93ef643f9')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "d0793b48-0edc-4296-a390-4c75d1bdfd71",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d0793b48-0edc-4296-a390-4c75d1bdfd71')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7d092e0a-7acd-40d2-a975-dca21cae48c4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7d092e0a-7acd-40d2-a975-dca21cae48c4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUnrestrictedNetworkAccessToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-34c877ad-507e-4c82-993e-3452a6e0ad3c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "55615ac9-af46-4a59-874e-391cc3dfb490",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-55615ac9-af46-4a59-874e-391cc3dfb490')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1b8ca024-1d5c-4dec-8995-b1a932b41780",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1b8ca024-1d5c-4dec-8995-b1a932b41780')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "037eea7a-bd0a-46c5-9a66-03aea78705d3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-037eea7a-bd0a-46c5-9a66-03aea78705d3')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "53503636-bcc9-4748-9663-5348217f160f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-53503636-bcc9-4748-9663-5348217f160f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "40cec1dd-a100-4920-b15b-3024fe8901ab",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-40cec1dd-a100-4920-b15b-3024fe8901ab')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "2154edb9-244f-4741-9970-660785bccdaa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2154edb9-244f-4741-9970-660785bccdaa')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "5f0bc445-3935-4915-9981-011aa2b46147",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5f0bc445-3935-4915-9981-011aa2b46147')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "af35e2a4-ef96-44e7-a9ae-853dd97032c4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-af35e2a4-ef96-44e7-a9ae-853dd97032c4')]"
          },
          "evaluatedSkuNames": {
            "value": "[parameters('evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "a049bf77-880b-470f-ba6d-9f21c530cf83",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a049bf77-880b-470f-ba6d-9f21c530cf83')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "52630df9-ca7e-442b-853b-c6ce548b31a2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/52630df9-ca7e-442b-853b-c6ce548b31a2",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-52630df9-ca7e-442b-853b-c6ce548b31a2')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ee980b6d-0eca-4501-8d54-f6290fd512c3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ee980b6d-0eca-4501-8d54-f6290fd512c3')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "b52376f7-9612-48a1-81cd-1ffe4b61032c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "DeprecatedAccountsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AnAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-2(1)",
          "NIST_SP_800-53_R4_AC-2(7)",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "CorsShouldNotAllowEveryResourceToAccessYourWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "NetworkSecurityGroupRulesForInternetFacingVirtualMachinesShouldBeHardened",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ThereShouldBeMoreThanOneOwnerAssignedToYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "AMaximumOf3OwnersShouldBeDesignatedForYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "AdvancedDataSecurityShouldBeEnabledOnYourManagedInstances",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "RemoteDebuggingShouldBeTurnedOffForFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "AdvancedDataSecurityShouldBeEnabledOnYourSqlServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "89099bee-89e0-4b26-a5f4-165451757743",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_CM-7",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-3",
          "NIST_SP_800-53_R4_SI-3(1)",
          "NIST_SP_800-53_R4_SI-4",
          "NIST_SP_800-53_R4_SI-16"
        ]
      },
      {
        "policyDefinitionReferenceId": "AdaptiveApplicationControlsShouldBeEnabledOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-7",
          "NIST_SP_800-53_R4_CM-7(2)",
          "NIST_SP_800-53_R4_CM-7(5)",
          "NIST_SP_800-53_R4_CM-10",
          "NIST_SP_800-53_R4_CM-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "0ec47710-77ff-4a3d-9181-6aa50af424d0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6",
          "NIST_SP_800-53_R4_CP-6(1)",
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditVirtualMachinesWithoutDisasterRecoveryConfigured",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "013e242c-8828-4970-87b3-ab247555486d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "MfaShouldBeEnabledOnAccountsWithOwnerPermissionsOnYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "MFAShouldBeEnabledOnAccountsWithReadPermissionsOnYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-2(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "6646a0bd-e110-40ca-bb97-84fcee63c414",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(7)",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "VulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "DDoSProtectionStandardShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "FunctionAppShouldOnlyBeAccessibleOverHttps",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "DiskEncryptionShouldBeAppliedOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "SystemUpdatesOnVirtualMachineScaleSetsShouldBeInstalled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "EndpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-3",
          "NIST_SP_800-53_R4_SI-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "DeprecatedAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "JustInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUsageOfCustomRBACRules",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-2(7)",
          "NIST_SP_800-53_R4_AC-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "RemoteDebuggingShouldBeTurnedOffForWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "123a3936-f020-408a-ba0c-47873faf1534",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-7",
          "NIST_SP_800-53_R4_CM-7(2)",
          "NIST_SP_800-53_R4_CM-7(5)",
          "NIST_SP_800-53_R4_CM-10",
          "NIST_SP_800-53_R4_CM-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "48af4db5-9b8b-401c-8e74-076be876a430",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6",
          "NIST_SP_800-53_R4_CP-6(1)",
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "MfaShouldBeEnabledAccountsWithWritePermissionsOnYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "6e2593d9-add6-4083-9c9b-4b7d2188c899",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "VulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "WebApplicationShouldOnlyBeAccessibleOverHttps",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "048248b0-55cd-46da-b1ff-39efd52db260",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "TransparentDataEncryptionOnSqlDatabasesShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "MonitorMissingEndpointProtectionInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-3",
          "NIST_SP_800-53_R4_SI-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ExternalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "RemoteDebuggingShouldBeTurnedOffForApiApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e6763cc-5078-4e64-889d-ff4d9a839047",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "82339799-d096-41ae-8538-b108becf0970",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6",
          "NIST_SP_800-53_R4_CP-6(1)",
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "2b9ad585-36bc-4615-b300-fd4435808332",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0b15565f-aa9e-48ba-8619-45960f2c314d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "VulnerabilitiesOnYourSqlDatabasesShouldBeRemediated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ApiAppShouldOnlyBeAccessibleOverHttps",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "SystemUpdatesShouldBeInstalledOnYourMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "fc5e4038-4584-4632-8c85-c0448d374b2c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ExternalAccountsWithReadPermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "e71308d3-144b-4262-b144-efdc3cc90517",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "d62cfe2b-3ab0-4d41-980d-76803b58ca65",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "bd352bd5-2853-4985-bf0d-73806b4a5744",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-5",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ExternalAccountsWithWritePermissionsShouldBeRemovedFromYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "6581d072-105e-4418-827f-bd446d56421b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "a4fe33eb-e377-4efb-ab31-0784311bc499",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "aVulnerabilityAssessmentSolutionShouldBeEnabledOnYourVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "6fac406b-40ca-413b-bf8e-0bf964659c25",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "bb91dfba-c30d-4263-9add-9c2384e659a6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "a3a6ea0c-e018-4933-9ef0-5aaa1501449b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0a15ec92-a229-4763-bb14-0ea34a568f8d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ae89ebca-1c92-4898-ac2c-9f63decb045c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "d26f7642-7545-4e18-9b75-8c9bbdee3a9a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "e8cbc669-f12d-49eb-93e7-9273119e9933",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "83cef61d-dbd1-4b20-a4fc-5fbc7da10833",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "6ba6d016-e7c3-4842-b8f2-4992ebc0d72d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "22730e10-96f6-4aac-ad84-9383d35b5917",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "18adea5e-f416-4d0f-8aa8-d24321e3e274",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "0564d078-92f5-4f97-8398-b9f58a51f70b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "842c54e8-c2f9-4d79-ae8d-38d8b8019373",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0a1302fb-a631-4106-9753-f3d494733990",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "8dfab9c4-fe7b-49ad-85e4-1e9be085358f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8dfab9c4-fe7b-49ad-85e4-1e9be085358f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "475aae12-b88a-4572-8b36-9b712b2b3a17",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0049a6b3-a662-4f3e-8635-39cf44ace45a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0049a6b3-a662-4f3e-8635-39cf44ace45a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "f9d614c5-c173-4d56-95a7-b4437057d193",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7595c971-233d-4bcf-bd18-596129188c49",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c3d20c29-b36d-48fe-808b-99a87530ad99",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "2f2ee1de-44aa-4762-b6bd-0893fc3f306d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "399b2637-a50f-4f95-96f8-3a145476eb15",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "bdc59948-5574-49b3-bb91-76b7c986428d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "04c4380f-3fae-46e8-96c9-30193528f602",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "295fc8b1-dc9f-4f53-9c61-3f313ceab40a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "fb74e86f-d351-4b8d-b034-93da7391c01f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb74e86f-d351-4b8d-b034-93da7391c01f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "e8eef0a8-67cf-4eb4-9386-14b0e78733d4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ca610c1d-041c-4332-9d88-7ed3094967c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "d9844e8a-1437-4aeb-a32c-0c992f056095",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "9830b652-8523-49cc-b1b3-e17dce1127ca",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4b90e17e-8448-49db-875e-bd83fb6f804f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "fb893a29-21bb-418c-a157-e99480ec364c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "a1ad735a-e96f-45d2-a7b2-9a4932cab7ec",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "7261b898-8a84-4db8-9e04-18527132abb3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "496223c3-ad65-4ecd-878a-bae78737e9ed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "eaebaea7-8013-4ceb-9d14-7eb32271373c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "0c192fe8-9cbb-4516-85b3-0ade8bd03886",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "5f0f936f-2f01-4bf5-b6be-d423792fa562",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "88999f4c-376a-45c8-bcb3-4058f713cf39",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "6edd7eda-6dd8-40f7-810d-67160c639cd9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7008174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "7698e800-9299-47a6-b3b6-5a0fee576eed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7238174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "74c3584d-afae-46f7-a20a-6f8adba71a16",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "0fda3595-9f2b-4592-8675-4231d6fa82fe",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fda3595-9f2b-4592-8675-4231d6fa82fe",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "cddd188c-4b82-4c48-a19d-ddf74ee66a01",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cddd188c-4b82-4c48-a19d-ddf74ee66a01",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "051cba44-2429-45b9-9649-46cec11c7119",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "8b0323be-cc25-4b61-935d-002c3798c6ea",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b0323be-cc25-4b61-935d-002c3798c6ea",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "f39f5f49-4abf-44de-8c70-0756997bfb51",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f39f5f49-4abf-44de-8c70-0756997bfb51",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "58440f8a-10c5-4151-bdce-dfbaad4a20b7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/58440f8a-10c5-4151-bdce-dfbaad4a20b7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7803067c-7d34-46e3-8c79-0ca68fc4036d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7803067c-7d34-46e3-8c79-0ca68fc4036d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b8564268-eb4a-4337-89be-a19db070c59d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b8564268-eb4a-4337-89be-a19db070c59d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "df39c015-56a4-45de-b4a3-efe77bed320d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df39c015-56a4-45de-b4a3-efe77bed320d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1c06e275-d63d-4540-b761-71f364c2111d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c06e275-d63d-4540-b761-71f364c2111d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1d320205-c6a1-4ac6-873d-46224024e8e2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d320205-c6a1-4ac6-873d-46224024e8e2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1ee56206-5dd1-42ab-b02d-8aae8b1634ce",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1ee56206-5dd1-42ab-b02d-8aae8b1634ce",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "72d11df1-dd8a-41f7-8925-b05b960ebafc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72d11df1-dd8a-41f7-8925-b05b960ebafc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "bf045164-79ba-4215-8f95-f8048dc1780b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6",
          "NIST_SP_800-53_R4_CP-6(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "d38fc420-0735-4ef3-ac11-c806f651a570",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6",
          "NIST_SP_800-53_R4_CP-6(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "991310cd-e9f3-47bc-b7b6-f57b557d07db",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "e2c1c086-2d84-4019-bff3-c44ccd95113c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "8c122334-9d20-4eb8-89ea-ac9a705b74ae",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "NIST_SP_800-53_R4_AC-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-1"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(12)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-3"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(21)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(21)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-5"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-7"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-8"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-10"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-11"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-12"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-14"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-18"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-18(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-18(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-19"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-19(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-19(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-20"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-20(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-20(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-20(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-20(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-21"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-22"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-1"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-2"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-3"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-4"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-1"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-2"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-3"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-4"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-5"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-7"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-8"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-9"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-9(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-11"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-12"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-1"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-2"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-3"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-3(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-3(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-5"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-6"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-7"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-8"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-9"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-1"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-3"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-4"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-6"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-7"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-7(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-7(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-9"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-10"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-10(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-10(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-11"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-1"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-3"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-4"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-6"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-7"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-8"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-9"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-9(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-10"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-10(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-10(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-1"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(11)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(12)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-3"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-4"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(11)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-6"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-7"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-1"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-2"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-3"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-5"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-6"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-7"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-8"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-9"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-9(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-9(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-1"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-2"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-3"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-4"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-5"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-6"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-1"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-2"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-3"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-4"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-5"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-5(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-6"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-7"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-1"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-2"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-3"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-4"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-5"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-6"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-8"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-9"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-10"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-11"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-12"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-13"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-13(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-13(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-13(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-13(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-14"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-14(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-14(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-15"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-16"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-17"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-1"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-2"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-4"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-8"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-1"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-2"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-3"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-4"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-5"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-6"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-7"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-8"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-1"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-2"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-3"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-1"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-2"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-3"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-5"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-8"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-10"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-10(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-10(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-1"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-2"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-4"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-5"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-6"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(12)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(13)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(18)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(18)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-8"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-10"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-12"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-12(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-12(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-12(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-12(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-13"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-15"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-17"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-18"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-19"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-20"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-21"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-22"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-23",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-23"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-28",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-28"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-28(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-28(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-39",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-39"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-1"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-2"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(14)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(16)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(16)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(23)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(23)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-5"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-6"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-8"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-10"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-11"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-12"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-16"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/e95f5a9f-57ad-4d03-bb0b-b1d16db93693",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "e95f5a9f-57ad-4d03-bb0b-b1d16db93693"
}
BuiltIn Regulatory Compliance False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "Flow logs should be configured and enabled for every network security group",
    "policyType": "BuiltIn",
    "description": "Audit for network security groups to verify if flow logs are configured and if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "NetworkSecurityGroup_FlowLog_Audit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c251913d-7d24-4958-af87-478ed3b9ba41",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          }
        },
        "groupNames": []
      },
      {
        "policyDefinitionReferenceId": "NetworkWatcherFlowLog_Enabled_Audit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/27960feb-a23c-4577-8d36-ef8b5f35e0be",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          }
        },
        "groupNames": []
      }
    ],
    "policyDefinitionGroups": []
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/62329546-775b-4a3d-a4cb-eb4bb990d2c0",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "62329546-775b-4a3d-a4cb-eb4bb990d2c0"
}
BuiltIn Network False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "HITRUST/HIPAA",
    "policyType": "BuiltIn",
    "description": "This initiative includes audit and virtual machine extension deployment policies that address a subset of HITRUST/HIPAA controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/hipaa-blueprint.",
    "metadata": {
      "version": "6.0.1",
      "category": "Regulatory Compliance"
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers for Guest Configuration policies",
          "description": "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "installedApplicationsOnWindowsVM": {
        "type": "String",
        "metadata": {
          "displayName": "Application names (supports wildcards)",
          "description": "A semicolon-separated list of the names of the applications that should be installed. e.g. 'Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL Server 2014*' (to match any application starting with 'Microsoft SQL Server 2014')"
        }
      },
      "DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix": {
        "type": "String",
        "metadata": {
          "displayName": "Storage Account Prefix for Regional Storage Account to deploy diagnostic settings for Network Security Groups",
          "description": "This prefix will be combined with the network security group location to form the created storage account name."
        }
      },
      "DeployDiagnosticSettingsforNetworkSecurityGroupsrgName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource Group Name for Storage Account (must exist) to deploy diagnostic settings for Network Security Groups",
          "description": "The resource group that the storage account will be created in. This resource group must already exist.",
          "strongType": "ExistingResourceGroups"
        }
      },
      "CertificateThumbprints": {
        "type": "String",
        "metadata": {
          "displayName": "Certificate thumbprints",
          "description": "A semicolon-separated list of certificate thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
        }
      },
      "membersToExclude": {
        "type": "String",
        "metadata": {
          "displayName": "List of users excluded from Windows VM Administrators group",
          "description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2"
        },
        "defaultValue": ""
      },
      "workspaceId": {
        "type": "String",
        "metadata": {
          "displayName": "List of workspace IDs where Log Analytics agents should connect",
          "description": "A semicolon-separated list of the workspace IDs that the Log Analytics agent should be connected to"
        },
        "defaultValue": ""
      },
      "listOfResourceTypes": {
        "type": "Array",
        "metadata": {
          "displayName": "List of resource types that should have resource logs enabled",
          "description": "Audit diagnostic setting for selected resource types"
        },
        "allowedValues": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ],
        "defaultValue": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ]
      },
      "membersToInclude": {
        "type": "String",
        "metadata": {
          "displayName": "List of users that must be included in Windows VM Administrators group",
          "description": "A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2"
        },
        "defaultValue": ""
      },
      "listOfLocations": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: List of regions where Network Watcher should be enabled",
          "description": "To see a complete list of regions use Get-AzLocation",
          "strongType": "location",
          "deprecated": true
        },
        "defaultValue": []
      },
      "NetworkWatcherResourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "NetworkWatcher resource group name",
          "description": "Name of the resource group of NetworkWatcher, such as NetworkWatcherRG"
        },
        "defaultValue": "NetworkWatcherRG"
      },
      "members": {
        "type": "String",
        "metadata": {
          "displayName": "List of users that Windows VM Administrators group must *only* include",
          "description": "A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2"
        },
        "defaultValue": ""
      },
      "operationName": {
        "type": "String",
        "metadata": {
          "displayName": "Operation Name",
          "description": "Administrative Operation name for which activity log alert should be configured"
        },
        "allowedValues": [
          "Microsoft.Sql/servers/firewallRules/write",
          "Microsoft.Sql/servers/firewallRules/delete",
          "Microsoft.Network/networkSecurityGroups/write",
          "Microsoft.Network/networkSecurityGroups/delete",
          "Microsoft.ClassicNetwork/networkSecurityGroups/write",
          "Microsoft.ClassicNetwork/networkSecurityGroups/delete",
          "Microsoft.Network/networkSecurityGroups/securityRules/write",
          "Microsoft.Network/networkSecurityGroups/securityRules/delete",
          "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write",
          "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"
        ],
        "defaultValue": "Microsoft.Sql/servers/firewallRules/write"
      },
      "virtualNetworkId": {
        "type": "String",
        "metadata": {
          "displayName": "Virtual network where VMs should be connected",
          "description": "Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name"
        },
        "defaultValue": ""
      },
      "diagnosticsLogsInBatchAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Batch accounts should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Batch accounts"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInBatchAccountRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (in days) for logs in Batch accounts",
          "description": "The required resource logs retention period in days"
        },
        "defaultValue": "365"
      },
      "ensureManagedInstanceTDEIsEncryptedWithYourOwnKeyMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "SQL Managed Instance TDE protector should be encrypted with your own key",
          "description": "Enable or disable the monitoring of Transparent Data Encryption (TDE) with your own key support. TDE with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diskEncryptionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources",
          "description": "Enable or disable the monitoring for VM disk encryption"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInSearchServiceMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Search services should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Azure Search service"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInSearchServiceRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (in days) of logs in Azure Search service",
          "description": "The required resource logs retention period in days"
        },
        "defaultValue": "365"
      },
      "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerability assessment should be enabled on SQL Managed Instance",
          "description": "Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vulnerabilityAssesmentMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution",
          "description": "Enable or disable the detection of VM vulnerabilities by a vulnerability assessment solution",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "EnableInsecureGuestLogons": {
        "type": "String",
        "metadata": {
          "displayName": "Enable insecure guest logons",
          "description": "Specifies whether the SMB client will allow insecure guest logons to an SMB server."
        },
        "defaultValue": "0"
      },
      "AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain": {
        "type": "String",
        "metadata": {
          "displayName": "Allow simultaneous connections to the Internet or a Windows Domain",
          "description": "Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous connections, and a value of 1 blocks them."
        },
        "defaultValue": "1"
      },
      "TurnOffMulticastNameResolution": {
        "type": "String",
        "metadata": {
          "displayName": "Turn off multicast name resolution",
          "description": "Specifies whether LLMNR, a secondary name resolution protocol that transmits using multicast over a local subnet link on a single subnet, is enabled."
        },
        "defaultValue": "1"
      },
      "nextGenerationFirewallMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Access through Internet facing endpoint should be restricted",
          "description": "Enable or disable overly permissive inbound NSG rules monitoring"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "ensureServerTDEIsEncryptedWithYourOwnKeyMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "SQL server TDE protector should be encrypted with your own key",
          "description": "Enable or disable the monitoring of Transparent Data Encryption (TDE) with your own key support. TDE with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "apiAppDisableRemoteDebuggingMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Remote debugging should be turned off for API App",
          "description": "Enable or disable the monitoring of remote debugging for API App"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "classicComputeVMsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Virtual machines should be migrated to new Azure Resource Manager resources",
          "description": "Enable or disable the monitoring of classic compute VMs"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "disableUnrestrictedNetworkToStorageAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Audit unrestricted network access to storage accounts",
          "description": "Enable or disable the monitoring of network access to storage account"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "adaptiveApplicationControlsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Adaptive Application Controls should be enabled on virtual machines",
          "description": "Enable or disable the monitoring of defining safe applications in Azure Security Center"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "NetworkAccessRemotelyAccessibleRegistryPaths": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Remotely accessible registry paths",
          "description": "Specifies which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"
      },
      "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Remotely accessible registry paths and sub-paths",
          "description": "Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"
      },
      "NetworkAccessSharesThatCanBeAccessedAnonymously": {
        "type": "String",
        "metadata": {
          "displayName": "Network access: Shares that can be accessed anonymously",
          "description": "Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server."
        },
        "defaultValue": "0"
      },
      "webAppDisableRemoteDebuggingMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Remote debugging should be turned off for Web Application",
          "description": "Enable or disable the monitoring of remote debugging for Web App"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "apiAppEnforceHttpsMonitoringEffectV2": {
        "type": "String",
        "metadata": {
          "displayName": "API App should only be accessible over HTTPS V2",
          "description": "Enable or disable the monitoring of the use of HTTPS in API App V2"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "identityEnableMFAForWritePermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "MFA should be enabled accounts with write permissions on your subscription",
          "description": "Enable or disable the monitoring of MFA for accounts with write permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "jitNetworkAccessMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Just-In-Time network access control should be applied on virtual machines",
          "description": "Enable or disable the monitoring of network just In time access"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
          "description": "Enable or disable the monitoring of MFA for accounts with owner permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "kubernetesServiceRbacEnabledMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Role-Based Access Control (RBAC) should be used on Kubernetes Services",
          "description": "Enable or disable the monitoring of Kubernetes Services without RBAC enabled"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "restrictAccessToManagementPortsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Management ports should be closed on your virtual machines",
          "description": "Enable or disable the monitoring of open management ports on Virtual Machines"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vmssOsVulnerabilitiesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated",
          "description": "Enable or disable virtual machine scale sets OS vulnerabilities monitoring"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInEventHubMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Event Hub should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Event Hub accounts"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInEventHubRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (in days) of logs in Event Hub accounts",
          "description": "The required resource logs retention period in days"
        },
        "defaultValue": "365"
      },
      "vmssSystemUpdatesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "System updates on virtual machine scale sets should be installed",
          "description": "Enable or disable virtual machine scale sets reporting of system updates"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInServiceFabricMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Resource logs in Virtual Machine Scale Sets should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Service Fabric"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "systemUpdatesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "System updates should be installed on your machines",
          "description": "Enable or disable reporting of system updates"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "DeployAzureBaselineSecurityOptionsAccountsAccountsGuestAccountStatus": {
        "type": "String",
        "metadata": {
          "displayName": "Accounts: Guest account status",
          "description": "Specifies whether the local Guest account is disabled."
        },
        "defaultValue": "0"
      },
      "RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": {
        "type": "String",
        "metadata": {
          "displayName": "Recovery console: Allow floppy copy and access to all drives and all folders",
          "description": "Specifies whether to make the Recovery Console SET command available, which allows setting of recovery console environment variables."
        },
        "defaultValue": "0"
      },
      "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": {
        "type": "String",
        "metadata": {
          "displayName": "Audit: Shut down system immediately if unable to log security audits",
          "description": "Audits if the system will shut down when unable to log Security events."
        },
        "defaultValue": "0"
      },
      "DeployAzureBaselineSystemAuditPoliciesDetailedTrackingAuditProcessTermination": {
        "type": "String",
        "metadata": {
          "displayName": "Audit Process Termination",
          "description": "Specifies whether audit events are generated when a process has exited. Recommended for monitoring termination of critical processes."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "WindowsFirewallDomainUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Domain profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallDomainApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Private profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Public profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Domain: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Domain profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Private: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Private profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Public: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Public profile."
        },
        "defaultValue": "1"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for resource logs"
        },
        "defaultValue": "365"
      },
      "diagnosticsLogsInRedisCacheMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: [Only secure connections to your Redis Cache should be enabled]",
          "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "secureTransferToStorageAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: [Secure transfer to storage accounts should be enabled]",
          "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "usersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may access this computer from the network",
          "description": "Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."
        },
        "defaultValue": "Administrators, Authenticated Users"
      },
      "usersOrGroupsThatMayLogOnLocally": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may log on locally",
          "description": "Specifies which users or groups can interactively log on to the computer. Users who attempt to log on via Remote Desktop Connection or IIS also require this user right."
        },
        "defaultValue": "Administrators"
      },
      "usersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may log on through Remote Desktop Services",
          "description": "Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."
        },
        "defaultValue": "Administrators, Remote Desktop Users"
      },
      "usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied access from the network",
          "description": "Specifies which users or groups are explicitly prohibited from connecting across the network."
        },
        "defaultValue": "Guests"
      },
      "usersOrGroupsThatMayManageAuditingAndSecurityLog": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may manage auditing and security log",
          "description": "Specifies users and groups permitted to change the auditing options for files and directories and clear the Security log."
        },
        "defaultValue": "Administrators"
      },
      "usersOrGroupsThatMayBackUpFilesAndDirectories": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may back up files and directories",
          "description": "Specifies users and groups allowed to circumvent file and directory permissions to back up the system."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "usersOrGroupsThatMayChangeTheSystemTime": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may change the system time",
          "description": "Specifies which users and groups are permitted to change the time and date on the internal clock of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "usersOrGroupsThatMayChangeTheTimeZone": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may change the time zone",
          "description": "Specifies which users and groups are permitted to change the time zone of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "usersOrGroupsThatMayCreateATokenObject": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may create a token object",
          "description": "Specifies which users and groups are permitted to create an access token, which may provide elevated rights to access sensitive data."
        },
        "defaultValue": "No One"
      },
      "usersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied logging on as a batch job",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer as a batch job (i.e. scheduled task)."
        },
        "defaultValue": "Guests"
      },
      "usersAndGroupsThatAreDeniedLoggingOnAsAService": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied logging on as a service",
          "description": "Specifies which service accounts are explicitly not permitted to register a process as a service."
        },
        "defaultValue": "Guests"
      },
      "usersAndGroupsThatAreDeniedLocalLogon": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied local logon",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer."
        },
        "defaultValue": "Guests"
      },
      "usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that are denied log on through Remote Desktop Services",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer via Terminal Services/Remote Desktop Client."
        },
        "defaultValue": "Guests"
      },
      "userAndGroupsThatMayForceShutdownFromARemoteSystem": {
        "type": "String",
        "metadata": {
          "displayName": "User and groups that may force shutdown from a remote system",
          "description": "Specifies which users and groups are permitted to shut down the computer from a remote location on the network."
        },
        "defaultValue": "Administrators"
      },
      "usersAndGroupsThatMayRestoreFilesAndDirectories": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that may restore files and directories",
          "description": "Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "usersAndGroupsThatMayShutDownTheSystem": {
        "type": "String",
        "metadata": {
          "displayName": "Users and groups that may shut down the system",
          "description": "Specifies which users and groups who are logged on locally to the computers in your environment are permitted to shut down the operating system with the Shut Down command."
        },
        "defaultValue": "Administrators"
      },
      "usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
        "type": "String",
        "metadata": {
          "displayName": "Users or groups that may take ownership of files or other objects",
          "description": "Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user."
        },
        "defaultValue": "Administrators"
      },
      "virtualMachinesShouldBeConnectedToAnApprovedVirtualNetworkEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: [Virtual machines should be connected to an approved virtual network]",
          "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "uacAdminApprovalModeForTheBuiltinAdministratorAccount": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Admin Approval Mode for the Built-in Administrator account",
          "description": "Specifies the behavior of Admin Approval Mode for the built-in Administrator account."
        },
        "defaultValue": "1"
      },
      "uacBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode",
          "description": "Specifies the behavior of the elevation prompt for administrators."
        },
        "defaultValue": "2"
      },
      "uacDetectApplicationInstallationsAndPromptForElevation": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Detect application installations and prompt for elevation",
          "description": "Specifies the behavior of application installation detection for the computer."
        },
        "defaultValue": "1"
      },
      "uacRunAllAdministratorsInAdminApprovalMode": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Run all administrators in Admin Approval Mode",
          "description": "Specifies the behavior of all User Account Control (UAC) policy settings for the computer."
        },
        "defaultValue": "1"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "DeploydefaultMicrosoftIaaSAntimalwareextensionforWindowsServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc",
        "parameters": {},
        "groupNames": [
          "hipaa-0201.09j1Organizational.124-09.j"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInBatchAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInBatchAccountMonitoringEffect')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('diagnosticsLogsInBatchAccountRetentionDays')]"
          }
        },
        "groupNames": [
          "hipaa-1205.09aa2System.1-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "systemUpdatesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {
          "effect": {
            "value": "[parameters('systemUpdatesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-0201.09j1Organizational.124-09.j"
        ]
      },
      {
        "policyDefinitionReferenceId": "RequireencryptiononDataLakeStoreaccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a",
        "parameters": {},
        "groupNames": [
          "hipaa-0304.09o3Organizational.1-09.o"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureManagedInstanceTDEIsEncryptedWithYourOwnKeyMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
        "parameters": {
          "effect": {
            "value": "[parameters('ensureManagedInstanceTDEIsEncryptedWithYourOwnKeyMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-0304.09o3Organizational.1-09.o"
        ]
      },
      {
        "policyDefinitionReferenceId": "diskEncryptionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {
          "effect": {
            "value": "[parameters('diskEncryptionMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-0302.09o2Organizational.1-09.o"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSQLTransparentDataEncryptionStatus",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {},
        "groupNames": [
          "hipaa-0301.09o1Organizational.123-09.o"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da"
      },
      {
        "policyDefinitionReferenceId": "InstalledApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb67efd-3c46-49b0-adfe-5599eb944998",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "installedApplication": {
            "value": "[parameters('installedApplicationsOnWindowsVM')]"
          }
        },
        "groupNames": []
      },
      {
        "policyDefinitionReferenceId": "AzureBaseline_SecurityOptionsAudit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/33936777-f2ac-45aa-82ec-07958ec9ade4",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": {
            "value": "[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]"
          }
        },
        "groupNames": [
          "hipaa-0605.10h1System.12-10.h"
        ]
      },
      {
        "policyDefinitionReferenceId": "AzureBaseline_SystemAuditPoliciesAccountManagement",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94d9aca8-3757-46df-aa51-f218c5f11954",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "hipaa-0605.10h1System.12-10.h"
        ]
      },
      {
        "policyDefinitionReferenceId": "AzureBaseline_SystemAuditPoliciesDetailedTracking",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/58383b73-94a9-4414-b382-4146eb02611b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditProcessTermination": {
            "value": "[parameters('DeployAzureBaselineSystemAuditPoliciesDetailedTrackingAuditProcessTermination')]"
          }
        },
        "groupNames": [
          "hipaa-0635.10k1Organizational.12-10.k",
          "hipaa-0636.10k2Organizational.1-10.k",
          "hipaa-0637.10k2Organizational.2-10.k",
          "hipaa-0638.10k2Organizational.34569-10.k",
          "hipaa-0639.10k2Organizational.78-10.k",
          "hipaa-0640.10k2Organizational.1012-10.k",
          "hipaa-0641.10k2Organizational.11-10.k",
          "hipaa-0642.10k3Organizational.12-10.k",
          "hipaa-0643.10k3Organizational.3-10.k",
          "hipaa-0644.10k3Organizational.4-10.k"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInSearchServiceMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInSearchServiceMonitoringEffect')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('diagnosticsLogsInSearchServiceRetentionDays')]"
          }
        },
        "groupNames": [
          "hipaa-1208.09aa3System.1-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditVirtualMachinesWithoutDisasterRecoveryConfigured",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "parameters": {},
        "groupNames": [
          "hipaa-1634.12b1Organizational.1-12.b",
          "hipaa-1638.12b2Organizational.345-12.b"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentOnManagedInstanceMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {
          "effect": {
            "value": "[parameters('vulnerabilityAssessmentOnManagedInstanceMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-0709.10m1Organizational.1-10.m",
          "hipaa-0710.10m2Organizational.1-10.m",
          "hipaa-0719.10m3Organizational.5-10.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "AzureBaseline_SecurityOptionsMicrosoftNetworkServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/caf2d518-f029-4f6b-833b-d7081702f253",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "hipaa-0709.10m1Organizational.1-10.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "AzureBaseline_AdministrativeTemplatesNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67e010c1-640d-438e-a3a5-feaccb533a98",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "EnableInsecureGuestLogons": {
            "value": "[parameters('EnableInsecureGuestLogons')]"
          },
          "AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain": {
            "value": "[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]"
          },
          "TurnOffMulticastNameResolution": {
            "value": "[parameters('TurnOffMulticastNameResolution')]"
          }
        },
        "groupNames": []
      },
      {
        "policyDefinitionReferenceId": "Deploynetworkwatcherwhenvirtualnetworksarecreated",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9",
        "parameters": {},
        "groupNames": [
          "hipaa-0894.01m2Organizational.7-01.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "AzureBaseline_WindowsFirewallProperties",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35d9882c-993d-44e6-87d2-db66ce21b636",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "WindowsFirewallDomainUseProfileSettings": {
            "value": "[parameters('WindowsFirewallDomainUseProfileSettings')]"
          },
          "WindowsFirewallDomainBehaviorForOutboundConnections": {
            "value": "[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]"
          },
          "WindowsFirewallDomainApplyLocalConnectionSecurityRules": {
            "value": "[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]"
          },
          "WindowsFirewallDomainApplyLocalFirewallRules": {
            "value": "[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]"
          },
          "WindowsFirewallDomainDisplayNotifications": {
            "value": "[parameters('WindowsFirewallDomainDisplayNotifications')]"
          },
          "WindowsFirewallPrivateUseProfileSettings": {
            "value": "[parameters('WindowsFirewallPrivateUseProfileSettings')]"
          },
          "WindowsFirewallPrivateBehaviorForOutboundConnections": {
            "value": "[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]"
          },
          "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": {
            "value": "[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]"
          },
          "WindowsFirewallPrivateApplyLocalFirewallRules": {
            "value": "[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]"
          },
          "WindowsFirewallPrivateDisplayNotifications": {
            "value": "[parameters('WindowsFirewallPrivateDisplayNotifications')]"
          },
          "WindowsFirewallPublicUseProfileSettings": {
            "value": "[parameters('WindowsFirewallPublicUseProfileSettings')]"
          },
          "WindowsFirewallPublicBehaviorForOutboundConnections": {
            "value": "[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]"
          },
          "WindowsFirewallPublicApplyLocalConnectionSecurityRules": {
            "value": "[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]"
          },
          "WindowsFirewallPublicApplyLocalFirewallRules": {
            "value": "[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]"
          },
          "WindowsFirewallPublicDisplayNotifications": {
            "value": "[parameters('WindowsFirewallPublicDisplayNotifications')]"
          },
          "WindowsFirewallDomainAllowUnicastResponse": {
            "value": "[parameters('WindowsFirewallDomainAllowUnicastResponse')]"
          },
          "WindowsFirewallPrivateAllowUnicastResponse": {
            "value": "[parameters('WindowsFirewallPrivateAllowUnicastResponse')]"
          },
          "WindowsFirewallPublicAllowUnicastResponse": {
            "value": "[parameters('WindowsFirewallPublicAllowUnicastResponse')]"
          }
        },
        "groupNames": [
          "hipaa-0858.09m1Organizational.4-09.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "nextGenerationFirewallMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {
          "effect": {
            "value": "[parameters('nextGenerationFirewallMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-0858.09m1Organizational.4-09.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureServerTDEIsEncryptedWithYourOwnKeyMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "parameters": {
          "effect": {
            "value": "[parameters('ensureServerTDEIsEncryptedWithYourOwnKeyMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-0304.09o3Organizational.1-09.o"
        ]
      },
      {
        "policyDefinitionReferenceId": "apiAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {
          "effect": {
            "value": "[parameters('apiAppDisableRemoteDebuggingMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-0914.09s1Organizational.6-09.s",
          "hipaa-1196.01l3Organizational.24-01.l"
        ]
      },
      {
        "policyDefinitionReferenceId": "classicComputeVMsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "parameters": {
          "effect": {
            "value": "[parameters('classicComputeVMsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-0835.09n1Organizational.1-09.n"
        ]
      },
      {
        "policyDefinitionReferenceId": "disableUnrestrictedNetworkToStorageAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {
          "effect": {
            "value": "[parameters('disableUnrestrictedNetworkToStorageAccountMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-0866.09m3Organizational.1516-09.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "adaptiveApplicationControlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {
          "effect": {
            "value": "[parameters('adaptiveApplicationControlsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-0201.09j1Organizational.124-09.j",
          "hipaa-0607.10h2System.23-10.h",
          "hipaa-1197.01l3Organizational.3-01.l"
        ]
      },
      {
        "policyDefinitionReferenceId": "DeployDiagnosticSettingsforNetworkSecurityGroups",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89",
        "parameters": {
          "storagePrefix": {
            "value": "[parameters('DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix')]"
          },
          "rgName": {
            "value": "[parameters('DeployDiagnosticSettingsforNetworkSecurityGroupsrgName')]"
          }
        },
        "groupNames": [
          "hipaa-0860.09m1Organizational.9-09.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "AzureBaseline_SecurityOptionsNetworkAccess",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "NetworkAccessRemotelyAccessibleRegistryPaths": {
            "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]"
          },
          "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
            "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]"
          },
          "NetworkAccessSharesThatCanBeAccessedAnonymously": {
            "value": "[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]"
          }
        },
        "groupNames": [
          "hipaa-0861.09m2Organizational.67-09.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {
          "effect": {
            "value": "[parameters('webAppDisableRemoteDebuggingMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-0912.09s1Organizational.4-09.s",
          "hipaa-1194.01l2Organizational.2-01.l"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatLinuxVMsHaveThePasswdFilePermissionsSeTTo0644",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": []
      },
      {
        "policyDefinitionReferenceId": "AuditSqlServerLevelAuditingSettings",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {},
        "groupNames": [
          "hipaa-1211.09aa3System.4-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "Audit_WindowsCertificateInTrustedRoot",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/934345e1-4dfb-4c70-90d7-41990dc9608b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "CertificateThumbprints": {
            "value": "[parameters('CertificateThumbprints')]"
          }
        },
        "groupNames": [
          "hipaa-0945.09y1Organizational.3-09.y"
        ]
      },
      {
        "policyDefinitionReferenceId": "apiAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {
          "effect": {
            "value": "[parameters('apiAppEnforceHttpsMonitoringEffectV2')]"
          }
        },
        "groupNames": [
          "hipaa-0809.01n2Organizational.1234-01.n",
          "hipaa-0810.01n2Organizational.5-01.n",
          "hipaa-0814.01n1Organizational.12-01.n",
          "hipaa-0812.01n2Organizational.8-01.n",
          "hipaa-0811.01n2Organizational.6-01.n",
          "hipaa-0949.09y2Organizational.5-09.y",
          "hipaa-1404.05i2Organizational.1-05.i"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": []
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {
          "effect": {
            "value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-1117.01j1Organizational.23-01.j",
          "hipaa-1173.01j1Organizational.6-01.j",
          "hipaa-1177.01j2Organizational.6-01.j",
          "hipaa-11110.01q1Organizational.6-01.q"
        ]
      },
      {
        "policyDefinitionReferenceId": "jitNetworkAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {
          "effect": {
            "value": "[parameters('jitNetworkAccessMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-0858.09m1Organizational.4-09.m",
          "hipaa-11180.01c3System.6-01.c",
          "hipaa-1119.01j2Organizational.3-01.j",
          "hipaa-1175.01j1Organizational.8-01.j",
          "hipaa-1179.01j3Organizational.1-01.j",
          "hipaa-1192.01l1Organizational.1-01.l"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {
          "effect": {
            "value": "[parameters('identityEnableMFAForOwnerPermissionsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-1116.01j1Organizational.145-01.j",
          "hipaa-1121.01j3Organizational.2-01.j",
          "hipaa-1176.01j2Organizational.5-01.j",
          "hipaa-11109.01q1Organizational.57-01.q"
        ]
      },
      {
        "policyDefinitionReferenceId": "kubernetesServiceRbacEnabledMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
        "parameters": {
          "effect": {
            "value": "[parameters('kubernetesServiceRbacEnabledMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-1149.01c2System.9-01.c",
          "hipaa-1153.01c3System.35-01.c",
          "hipaa-1229.09c1Organizational.1-09.c"
        ]
      },
      {
        "policyDefinitionReferenceId": "AzureBaseline_SecurityOptionsAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee984370-154a-4ee8-9726-19d900e56fc0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "AccountsGuestAccountStatus": {
            "value": "[parameters('DeployAzureBaselineSecurityOptionsAccountsAccountsGuestAccountStatus')]"
          }
        },
        "groupNames": [
          "hipaa-1148.01c2System.78-01.c"
        ]
      },
      {
        "policyDefinitionReferenceId": "restrictAccessToManagementPortsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917",
        "parameters": {
          "effect": {
            "value": "[parameters('restrictAccessToManagementPortsMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-1143.01c1System.123-01.c",
          "hipaa-1150.01c2System.10-01.c",
          "hipaa-1193.01l2Organizational.13-01.l"
        ]
      },
      {
        "policyDefinitionReferenceId": "vmssOsVulnerabilitiesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {
          "effect": {
            "value": "[parameters('vmssOsVulnerabilitiesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-0607.10h2System.23-10.h",
          "hipaa-0709.10m1Organizational.1-10.m",
          "hipaa-0714.10m2Organizational.7-10.m",
          "hipaa-0717.10m3Organizational.2-10.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInEventHubMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInEventHubMonitoringEffect')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('diagnosticsLogsInEventHubRetentionDays')]"
          }
        },
        "groupNames": [
          "hipaa-1207.09aa2System.4-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {
          "effect": {
            "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-1202.09aa1System.1-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInServiceFabricMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInServiceFabricMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-1206.09aa2System.23-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "AzureBaseline_SecurityOptionsRecoveryconsole",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f71be03e-e25b-4d0f-b8bc-9b3e309b66c0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": {
            "value": "[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]"
          }
        },
        "groupNames": [
          "hipaa-1637.12b2Organizational.2-12.b"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureBackupShouldBeEnabledForVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d",
        "parameters": {},
        "groupNames": [
          "hipaa-1620.09l1Organizational.8-09.l",
          "hipaa-1625.09l3Organizational.34-09.l",
          "hipaa-1699.09l1Organizational.10-09.l"
        ]
      },
      {
        "policyDefinitionReferenceId": "networkTrafficDataCollectionAgentShouldBeInstalledOnLinuxVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602",
        "parameters": {},
        "groupNames": [
          "hipaa-0836.09.n2Organizational.1-09.n",
          "hipaa-0885.09n2Organizational.3-09.n"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInDataLakeStoreMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "hipaa-1202.09aa1System.1-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppRestrictCORSAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "parameters": {},
        "groupNames": [
          "hipaa-0902.09s2Organizational.13-09.s",
          "hipaa-0960.09sCSPOrganizational.1-09.s"
        ]
      },
      {
        "policyDefinitionReferenceId": "adaptiveNetworkHardeningRecommendationsShouldBeAppliedOnInternetFacingVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {},
        "groupNames": [
          "hipaa-0809.01n2Organizational.1234-01.n",
          "hipaa-0810.01n2Organizational.5-01.n",
          "hipaa-0814.01n1Organizational.12-01.n",
          "hipaa-0812.01n2Organizational.8-01.n",
          "hipaa-0811.01n2Organizational.6-01.n",
          "hipaa-0859.09m1Organizational.78-09.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityDesignateMoreThanOneOwnerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {},
        "groupNames": [
          "hipaa-1145.01c2System.1-01.c",
          "hipaa-1152.01c3System.2-01.c",
          "hipaa-11208.01q1Organizational.8-01.q"
        ]
      },
      {
        "policyDefinitionReferenceId": "keyVaultObjectsShouldBeRecoverable",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "parameters": {},
        "groupNames": [
          "hipaa-1635.12b1Organizational.2-12.b"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {},
        "groupNames": [
          "hipaa-0913.09s1Organizational.5-09.s",
          "hipaa-1325.09s1Organizational.3-09.s",
          "hipaa-1195.01l3Organizational.1-01.l"
        ]
      },
      {
        "policyDefinitionReferenceId": "geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariaDB",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0",
        "parameters": {},
        "groupNames": [
          "hipaa-1619.09l1Organizational.7-09.l",
          "hipaa-1624.09l3Organizational.12-09.l",
          "hipaa-1627.09l3Organizational.6-09.l"
        ]
      },
      {
        "policyDefinitionReferenceId": "customSubscriptionOwnerRolesShouldNotExist",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9",
        "parameters": {},
        "groupNames": [
          "hipaa-1276.09c2Organizational.2-09.c",
          "hipaa-1278.09c2Organizational.56-09.c"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditWindowsVMsInWhichTheAdministratorsGroupContainsAnyOfTheSpecifiedMembers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "membersToExclude": {
            "value": "[parameters('membersToExclude')]"
          }
        },
        "groupNames": [
          "hipaa-11210.01q2Organizational.10-01.q",
          "hipaa-1125.01q2System.1-01.q"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureMonitorLogProfileShouldCollectLogsForCategoriesWrite,Delete,AndAction",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7",
        "parameters": {},
        "groupNames": [
          "hipaa-1212.09ab1System.1-09.ab",
          "hipaa-1219.09ab3System.10-09.ab"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInRedisCacheMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {
          "effect": {
            "value": "[parameters('diagnosticsLogsInRedisCacheMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-0809.01n2Organizational.1234-01.n",
          "hipaa-0810.01n2Organizational.5-01.n",
          "hipaa-0814.01n1Organizational.12-01.n",
          "hipaa-0812.01n2Organizational.8-01.n",
          "hipaa-0811.01n2Organizational.6-01.n",
          "hipaa-0946.09y2Organizational.14-09.y",
          "hipaa-1451.05iCSPOrganizational.2-05.i"
        ]
      },
      {
        "policyDefinitionReferenceId": "vmssEndpointProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {},
        "groupNames": [
          "hipaa-0201.09j1Organizational.124-09.j"
        ]
      },
      {
        "policyDefinitionReferenceId": "unattachedDisksShouldBeEncrypted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2",
        "parameters": {},
        "groupNames": [
          "hipaa-0303.09o2Organizational.2-09.o"
        ]
      },
      {
        "policyDefinitionReferenceId": "appServiceShouldUseAVirtualNetworkServiceEndpoint",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb",
        "parameters": {},
        "groupNames": [
          "hipaa-0894.01m2Organizational.7-01.m",
          "hipaa-0805.01m1Organizational.12-01.m",
          "hipaa-0806.01m2Organizational.12356-01.m",
          "hipaa-0861.09m2Organizational.67-09.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "networkTrafficDataCollectionAgentShouldBeInstalledOnWindowsVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d",
        "parameters": {},
        "groupNames": [
          "hipaa-0835.09n1Organizational.1-09.n",
          "hipaa-0887.09n2Organizational.5-09.n"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInLogicAppsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "hipaa-1203.09aa1System.2-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "apiAppRestrictCORSAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "parameters": {},
        "groupNames": [
          "hipaa-0911.09s1Organizational.2-09.s"
        ]
      },
      {
        "policyDefinitionReferenceId": "gatewaySubnetsShouldNotBeConfiguredWithANetworkSecurityGroup",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010",
        "parameters": {},
        "groupNames": [
          "hipaa-0894.01m2Organizational.7-01.m",
          "hipaa-0805.01m1Organizational.12-01.m",
          "hipaa-0806.01m2Organizational.12356-01.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticLogsInIoTHubShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "hipaa-1204.09aa1System.3-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "secureTransferToStorageAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {
          "effect": {
            "value": "[parameters('secureTransferToStorageAccountMonitoringEffect')]"
          }
        },
        "groupNames": [
          "hipaa-0809.01n2Organizational.1234-01.n",
          "hipaa-0810.01n2Organizational.5-01.n",
          "hipaa-0814.01n1Organizational.12-01.n",
          "hipaa-0812.01n2Organizational.8-01.n",
          "hipaa-0811.01n2Organizational.6-01.n",
          "hipaa-0943.09y1Organizational.1-09.y",
          "hipaa-1401.05i1Organizational.1239-05.i"
        ]
      },
      {
        "policyDefinitionReferenceId": "azureMonitorShouldCollectActivityLogsFromAllRegions",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9",
        "parameters": {},
        "groupNames": [
          "hipaa-1120.09ab3System.9-09.ab",
          "hipaa-1214.09ab2System.3456-09.ab"
        ]
      },
      {
        "policyDefinitionReferenceId": "automaticProvisioningOfTheLogAnalyticsMonitoringAgentShouldBeEnabledOnYourSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17",
        "parameters": {},
        "groupNames": [
          "hipaa-1213.09ab2System.128-09.ab",
          "hipaa-1220.09ab3System.56-09.ab"
        ]
      },
      {
        "policyDefinitionReferenceId": "geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQL",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430",
        "parameters": {},
        "groupNames": [
          "hipaa-1618.09l1Organizational.45-09.l",
          "hipaa-1623.09l2Organizational.4-09.l",
          "hipaa-1626.09l3Organizational.5-09.l"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityDesignateLessThanOwnersMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {},
        "groupNames": [
          "hipaa-1144.01c1System.4-01.c",
          "hipaa-1151.01c3System.1-01.c",
          "hipaa-1154.01c3System.4-01.c",
          "hipaa-11112.01q2Organizational.67-01.q"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentShouldBeEnabledOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {},
        "groupNames": [
          "hipaa-0709.10m1Organizational.1-10.m",
          "hipaa-0711.10m2Organizational.23-10.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppRestrictCORSAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {},
        "groupNames": [
          "hipaa-0901.09s1Organizational.1-09.s",
          "hipaa-0916.09s2Organizational.4-09.s"
        ]
      },
      {
        "policyDefinitionReferenceId": "ensureWEBAppHasClientCertificates(IncomingClientCertificates)SetToOn",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "parameters": {},
        "groupNames": [
          "hipaa-0662.09sCSPOrganizational.2-09.s",
          "hipaa-0915.09s2Organizational.2-09.s"
        ]
      },
      {
        "policyDefinitionReferenceId": "storageAccountsShouldUseAVirtualNetworkServiceEndpoint",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4",
        "parameters": {},
        "groupNames": [
          "hipaa-0894.01m2Organizational.7-01.m",
          "hipaa-0805.01m1Organizational.12-01.m",
          "hipaa-0806.01m2Organizational.12356-01.m",
          "hipaa-0867.09m3Organizational.17-09.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditWindowsLogAnalyticsAgentConnection",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6265018c-d7e2-432f-a75d-094d5f6f4465",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "workspaceId": {
            "value": "[parameters('workspaceId')]"
          }
        },
        "groupNames": [
          "hipaa-12102.09ab1Organizational.4-09.ab",
          "hipaa-1217.09ab3System.3-09.ab"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {},
        "groupNames": [
          "hipaa-0809.01n2Organizational.1234-01.n",
          "hipaa-0810.01n2Organizational.5-01.n",
          "hipaa-0814.01n1Organizational.12-01.n",
          "hipaa-0812.01n2Organizational.8-01.n",
          "hipaa-0811.01n2Organizational.6-01.n",
          "hipaa-0949.09y2Organizational.5-09.y",
          "hipaa-1402.05i1Organizational.45-05.i"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditDiagnosticSetting",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
        "parameters": {
          "listOfResourceTypes": {
            "value": "[parameters('listOfResourceTypes')]"
          }
        },
        "groupNames": [
          "hipaa-1210.09aa3System.3-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "AzureBaselineUserRightsAssignment",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e068b215-0026-4354-b347-8fb2766f73a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "usersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
            "value": "[parameters('usersOrGroupsThatMayAccessThisComputerFromTheNetwork')]"
          },
          "usersOrGroupsThatMayLogOnLocally": {
            "value": "[parameters('usersOrGroupsThatMayLogOnLocally')]"
          },
          "usersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
            "value": "[parameters('usersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]"
          },
          "usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
            "value": "[parameters('usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]"
          },
          "usersOrGroupsThatMayManageAuditingAndSecurityLog": {
            "value": "[parameters('usersOrGroupsThatMayManageAuditingAndSecurityLog')]"
          },
          "usersOrGroupsThatMayBackUpFilesAndDirectories": {
            "value": "[parameters('usersOrGroupsThatMayBackUpFilesAndDirectories')]"
          },
          "usersOrGroupsThatMayChangeTheSystemTime": {
            "value": "[parameters('usersOrGroupsThatMayChangeTheSystemTime')]"
          },
          "usersOrGroupsThatMayChangeTheTimeZone": {
            "value": "[parameters('usersOrGroupsThatMayChangeTheTimeZone')]"
          },
          "usersOrGroupsThatMayCreateATokenObject": {
            "value": "[parameters('usersOrGroupsThatMayCreateATokenObject')]"
          },
          "usersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
            "value": "[parameters('usersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]"
          },
          "usersAndGroupsThatAreDeniedLoggingOnAsAService": {
            "value": "[parameters('usersAndGroupsThatAreDeniedLoggingOnAsAService')]"
          },
          "usersAndGroupsThatAreDeniedLocalLogon": {
            "value": "[parameters('usersAndGroupsThatAreDeniedLocalLogon')]"
          },
          "usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
            "value": "[parameters('usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]"
          },
          "userAndGroupsThatMayForceShutdownFromARemoteSystem": {
            "value": "[parameters('userAndGroupsThatMayForceShutdownFromARemoteSystem')]"
          },
          "usersAndGroupsThatMayRestoreFilesAndDirectories": {
            "value": "[parameters('usersAndGroupsThatMayRestoreFilesAndDirectories')]"
          },
          "usersAndGroupsThatMayShutDownTheSystem": {
            "value": "[parameters('usersAndGroupsThatMayShutDownTheSystem')]"
          },
          "usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
            "value": "[parameters('usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]"
          }
        },
        "groupNames": [
          "hipaa-1232.09c3Organizational.12-09.c"
        ]
      },
      {
        "policyDefinitionReferenceId": "geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQL",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970",
        "parameters": {},
        "groupNames": [
          "hipaa-1617.09l1Organizational.23-09.l",
          "hipaa-1622.09l2Organizational.23-09.l"
        ]
      },
      {
        "policyDefinitionReferenceId": "apiAppRequireLatestTlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {},
        "groupNames": [
          "hipaa-0809.01n2Organizational.1234-01.n",
          "hipaa-0810.01n2Organizational.5-01.n",
          "hipaa-0814.01n1Organizational.12-01.n",
          "hipaa-0812.01n2Organizational.8-01.n",
          "hipaa-0811.01n2Organizational.6-01.n",
          "hipaa-0949.09y2Organizational.5-09.y"
        ]
      },
      {
        "policyDefinitionReferenceId": "TheAdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "membersToInclude": {
            "value": "[parameters('membersToInclude')]"
          }
        },
        "groupNames": [
          "hipaa-11211.01q2Organizational.11-01.q",
          "hipaa-1127.01q2System.3-01.q"
        ]
      },
      {
        "policyDefinitionReferenceId": "useRbacRulesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "parameters": {},
        "groupNames": [
          "hipaa-1148.01c2System.78-01.c",
          "hipaa-1230.09c2Organizational.1-09.c"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {},
        "groupNames": [
          "hipaa-0809.01n2Organizational.1234-01.n",
          "hipaa-0810.01n2Organizational.5-01.n",
          "hipaa-0814.01n1Organizational.12-01.n",
          "hipaa-0812.01n2Organizational.8-01.n",
          "hipaa-0811.01n2Organizational.6-01.n",
          "hipaa-0949.09y2Organizational.5-09.y",
          "hipaa-1403.05i1Organizational.67-05.i"
        ]
      },
      {
        "policyDefinitionReferenceId": "logAnalyticsAgentShouldBeInstalledOnVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be",
        "parameters": {},
        "groupNames": [
          "hipaa-12100.09ab2System.15-09.ab",
          "hipaa-1215.09ab2System.7-09.ab"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlServerShouldUseAVirtualNetworkServiceEndpoint",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3",
        "parameters": {},
        "groupNames": [
          "hipaa-0894.01m2Organizational.7-01.m",
          "hipaa-0805.01m1Organizational.12-01.m",
          "hipaa-0806.01m2Organizational.12356-01.m",
          "hipaa-0862.09m2Organizational.8-09.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "endpointProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {},
        "groupNames": [
          "hipaa-0201.09j1Organizational.124-09.j"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInSelectiveAppServicesMonitoringEffect",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "parameters": {},
        "groupNames": [
          "hipaa-1209.09aa3System.2-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "networkWatcherShouldBeEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "parameters": {
          "resourceGroupName": {
            "value": "[parameters('NetworkWatcherResourceGroupName')]"
          }
        },
        "groupNames": [
          "hipaa-0837.09.n2Organizational.2-09.n",
          "hipaa-0886.09n2Organizational.4-09.n",
          "hipaa-0888.09n2Organizational.6-09.n"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditWindowsVMsInWhichTheAdministratorsGroupDoesNotContainOnlyTheSpecifiedMembers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3d2a3320-2a72-4c67-ac5f-caa40fbee2b2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "members": {
            "value": "[parameters('members')]"
          }
        },
        "groupNames": [
          "hipaa-1123.01q1System.2-01.q"
        ]
      },
      {
        "policyDefinitionReferenceId": "auditSpecificAdministrativeOperationsWithoutActivityLogAlerts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
        "parameters": {
          "operationName": {
            "value": "[parameters('operationName')]"
          }
        },
        "groupNames": [
          "hipaa-1270.09ad1System.12-09.ad",
          "hipaa-1271.09ad1System.1-09.ad"
        ]
      },
      {
        "policyDefinitionReferenceId": "microsoftAntimalwareForAzureShouldBeConfiguredToAutomaticallyUpdateProtectionSignatures",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57",
        "parameters": {},
        "groupNames": [
          "hipaa-0201.09j1Organizational.124-09.j"
        ]
      },
      {
        "policyDefinitionReferenceId": "containerRegistryShouldUseAVirtualNetworkServiceEndpoint",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78",
        "parameters": {},
        "groupNames": [
          "hipaa-0894.01m2Organizational.7-01.m",
          "hipaa-0805.01m1Organizational.12-01.m",
          "hipaa-0806.01m2Organizational.12356-01.m",
          "hipaa-0868.09m3Organizational.18-09.m",
          "hipaa-0869.09m3Organizational.19-09.m",
          "hipaa-0870.09m3Organizational.20-09.m",
          "hipaa-0871.09m3Organizational.22-09.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInDataLakeAnalyticsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "hipaa-1210.09aa3System.3-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInKeyVaultMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "hipaa-1211.09aa3System.4-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "enforceSSLConnectionShouldBeEnabledForPostgreSQLDatabaseServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "parameters": {},
        "groupNames": [
          "hipaa-0809.01n2Organizational.1234-01.n",
          "hipaa-0810.01n2Organizational.5-01.n",
          "hipaa-0814.01n1Organizational.12-01.n",
          "hipaa-0812.01n2Organizational.8-01.n",
          "hipaa-0811.01n2Organizational.6-01.n",
          "hipaa-0947.09y2Organizational.2-09.y",
          "hipaa-1450.05i2Organizational.2-05.i"
        ]
      },
      {
        "policyDefinitionReferenceId": "longtermGeoRedundantBackupEnabledAzureSQLDatabases",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570",
        "parameters": {},
        "groupNames": [
          "hipaa-1616.09l1Organizational.16-09.l",
          "hipaa-1621.09l2Organizational.1-09.l"
        ]
      },
      {
        "policyDefinitionReferenceId": "virtualMachinesShouldBeConnectedToAnApprovedVirtualNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3",
        "parameters": {
          "effect": {
            "value": "[parameters('virtualMachinesShouldBeConnectedToAnApprovedVirtualNetworkEffect')]"
          },
          "virtualNetworkId": {
            "value": "[parameters('virtualNetworkId')]"
          }
        },
        "groupNames": [
          "hipaa-0894.01m2Organizational.7-01.m",
          "hipaa-0805.01m1Organizational.12-01.m",
          "hipaa-0806.01m2Organizational.12356-01.m",
          "hipaa-0809.01n2Organizational.1234-01.n",
          "hipaa-0810.01n2Organizational.5-01.n",
          "hipaa-0814.01n1Organizational.12-01.n",
          "hipaa-0812.01n2Organizational.8-01.n",
          "hipaa-0811.01n2Organizational.6-01.n"
        ]
      },
      {
        "policyDefinitionReferenceId": "eventHubShouldUseAVirtualNetworkServiceEndpoint",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0",
        "parameters": {},
        "groupNames": [
          "hipaa-0894.01m2Organizational.7-01.m",
          "hipaa-0805.01m1Organizational.12-01.m",
          "hipaa-0806.01m2Organizational.12356-01.m",
          "hipaa-0863.09m2Organizational.910-09.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "cosmosDBShouldUseAVirtualNetworkServiceEndpoint",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9",
        "parameters": {},
        "groupNames": [
          "hipaa-0894.01m2Organizational.7-01.m",
          "hipaa-0805.01m1Organizational.12-01.m",
          "hipaa-0806.01m2Organizational.12356-01.m",
          "hipaa-0864.09m2Organizational.12-09.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "systemConfigurationsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {},
        "groupNames": [
          "hipaa-0605.10h1System.12-10.h",
          "hipaa-0709.10m1Organizational.1-10.m",
          "hipaa-0713.10m2Organizational.5-10.m",
          "hipaa-0718.10m3Organizational.34-10.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForReadPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {},
        "groupNames": [
          "hipaa-1118.01j2Organizational.124-01.j",
          "hipaa-1174.01j1Organizational.7-01.j",
          "hipaa-1178.01j2Organizational.7-01.j",
          "hipaa-11111.01q2System.4-01.q"
        ]
      },
      {
        "policyDefinitionReferenceId": "AzureBaselineSecurityOptionsUserAccountControl",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/492a29ed-d143-4f03-b6a4-705ce081b463",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "uacAdminApprovalModeForTheBuiltinAdministratorAccount": {
            "value": "[parameters('uacAdminApprovalModeForTheBuiltinAdministratorAccount')]"
          },
          "uacBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": {
            "value": "[parameters('uacBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]"
          },
          "uacDetectApplicationInstallationsAndPromptForElevation": {
            "value": "[parameters('uacDetectApplicationInstallationsAndPromptForElevation')]"
          },
          "uacRunAllAdministratorsInAdminApprovalMode": {
            "value": "[parameters('uacRunAllAdministratorsInAdminApprovalMode')]"
          }
        },
        "groupNames": [
          "hipaa-1277.09c2Organizational.4-09.c"
        ]
      },
      {
        "policyDefinitionReferenceId": "networkSecurityGroupsOnSubnetsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517",
        "parameters": {},
        "groupNames": [
          "hipaa-0894.01m2Organizational.7-01.m",
          "hipaa-0805.01m1Organizational.12-01.m",
          "hipaa-0806.01m2Organizational.12356-01.m",
          "hipaa-0809.01n2Organizational.1234-01.n",
          "hipaa-0810.01n2Organizational.5-01.n",
          "hipaa-0814.01n1Organizational.12-01.n",
          "hipaa-0812.01n2Organizational.8-01.n",
          "hipaa-0811.01n2Organizational.6-01.n"
        ]
      },
      {
        "policyDefinitionReferenceId": "enforceSSLConnectionShouldBeEnabledForMySQLDatabaseServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "parameters": {},
        "groupNames": [
          "hipaa-0809.01n2Organizational.1234-01.n",
          "hipaa-0810.01n2Organizational.5-01.n",
          "hipaa-0814.01n1Organizational.12-01.n",
          "hipaa-0812.01n2Organizational.8-01.n",
          "hipaa-0811.01n2Organizational.6-01.n",
          "hipaa-0948.09y2Organizational.3-09.y",
          "hipaa-1418.05i1Organizational.8-05.i"
        ]
      },
      {
        "policyDefinitionReferenceId": "containerBenchmarkMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
        "parameters": {},
        "groupNames": [
          "hipaa-0606.10h2System.1-10.h",
          "hipaa-0709.10m1Organizational.1-10.m",
          "hipaa-0715.10m2Organizational.8-10.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "keyVaultShouldUseAVirtualNetworkServiceEndpoint",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f",
        "parameters": {},
        "groupNames": [
          "hipaa-0894.01m2Organizational.7-01.m",
          "hipaa-0805.01m1Organizational.12-01.m",
          "hipaa-0806.01m2Organizational.12356-01.m",
          "hipaa-0865.09m2Organizational.13-09.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {},
        "groupNames": [
          "hipaa-1147.01c2System.456-01.c"
        ]
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentOnServerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {},
        "groupNames": [
          "hipaa-0709.10m1Organizational.1-10.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSets",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf",
        "parameters": {},
        "groupNames": [
          "hipaa-12101.09ab1Organizational.3-09.ab",
          "hipaa-1216.09ab3System.12-09.ab"
        ]
      },
      {
        "policyDefinitionReferenceId": "webAppRequireLatestTlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {},
        "groupNames": [
          "hipaa-0809.01n2Organizational.1234-01.n",
          "hipaa-0810.01n2Organizational.5-01.n",
          "hipaa-0814.01n1Organizational.12-01.n",
          "hipaa-0812.01n2Organizational.8-01.n",
          "hipaa-0811.01n2Organizational.6-01.n",
          "hipaa-0949.09y2Organizational.5-09.y"
        ]
      },
      {
        "policyDefinitionReferenceId": "networkSecurityGroupsOnVirtualMachinesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "parameters": {},
        "groupNames": [
          "hipaa-0894.01m2Organizational.7-01.m",
          "hipaa-0805.01m1Organizational.12-01.m",
          "hipaa-0806.01m2Organizational.12356-01.m",
          "hipaa-0809.01n2Organizational.1234-01.n",
          "hipaa-0810.01n2Organizational.5-01.n",
          "hipaa-0814.01n1Organizational.12-01.n",
          "hipaa-0812.01n2Organizational.8-01.n",
          "hipaa-0811.01n2Organizational.6-01.n"
        ]
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {},
        "groupNames": [
          "hipaa-1146.01c2System.23-01.c"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInServiceBusMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "hipaa-1208.09aa3System.1-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInStreamAnalyticsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "hipaa-1207.09aa2System.4-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "functionAppRequireLatestTlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {},
        "groupNames": [
          "hipaa-0809.01n2Organizational.1234-01.n",
          "hipaa-0810.01n2Organizational.5-01.n",
          "hipaa-0814.01n1Organizational.12-01.n",
          "hipaa-0812.01n2Organizational.8-01.n",
          "hipaa-0811.01n2Organizational.6-01.n",
          "hipaa-0949.09y2Organizational.5-09.y"
        ]
      },
      {
        "policyDefinitionReferenceId": "sqlDbVulnerabilityAssesmentMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {},
        "groupNames": [
          "hipaa-0709.10m1Organizational.1-10.m",
          "hipaa-0716.10m3Organizational.1-10.m"
        ]
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInManagedHsmMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2a5b911-5617-447e-a49e-59dbe0e0434b",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "hipaa-1211.09aa3System.4-09.aa"
        ]
      },
      {
        "policyDefinitionReferenceId": "managedHsmObjectsShouldBeRecoverable",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383",
        "parameters": {},
        "groupNames": [
          "hipaa-1635.12b1Organizational.2-12.b"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "hipaa-0101.00a1Organizational.123-00.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0101.00a1Organizational.123-00.a"
      },
      {
        "name": "hipaa-0102.00a2Organizational.123-00.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0102.00a2Organizational.123-00.a"
      },
      {
        "name": "hipaa-0103.00a3Organizational.1234567-00.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0103.00a3Organizational.1234567-00.a"
      },
      {
        "name": "hipaa-0104.02a1Organizational.12-02.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0104.02a1Organizational.12-02.a"
      },
      {
        "name": "hipaa-0105.02a2Organizational.1-02.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0105.02a2Organizational.1-02.a"
      },
      {
        "name": "hipaa-0106.02a2Organizational.23-02.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0106.02a2Organizational.23-02.a"
      },
      {
        "name": "hipaa-0107.02d1Organizational.1-02.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0107.02d1Organizational.1-02.d"
      },
      {
        "name": "hipaa-0108.02d1Organizational.23-02.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0108.02d1Organizational.23-02.d"
      },
      {
        "name": "hipaa-0109.02d1Organizational.4-02.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0109.02d1Organizational.4-02.d"
      },
      {
        "name": "hipaa-0110.02d2Organizational.1-02.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0110.02d2Organizational.1-02.d"
      },
      {
        "name": "hipaa-0111.02d2Organizational.2-02.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0111.02d2Organizational.2-02.d"
      },
      {
        "name": "hipaa-01110.05a1Organizational.5-05.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-01110.05a1Organizational.5-05.a"
      },
      {
        "name": "hipaa-01111.05a2Organizational.5-05.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-01111.05a2Organizational.5-05.a"
      },
      {
        "name": "hipaa-0112.02d2Organizational.3-02.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0112.02d2Organizational.3-02.d"
      },
      {
        "name": "hipaa-0113.04a1Organizational.123-04.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0113.04a1Organizational.123-04.a"
      },
      {
        "name": "hipaa-0114.04b1Organizational.1-04.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0114.04b1Organizational.1-04.b"
      },
      {
        "name": "hipaa-0115.04b2Organizational.123-04.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0115.04b2Organizational.123-04.b"
      },
      {
        "name": "hipaa-0116.04b3Organizational.1-04.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0116.04b3Organizational.1-04.b"
      },
      {
        "name": "hipaa-0117.05a1Organizational.1-05.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0117.05a1Organizational.1-05.a"
      },
      {
        "name": "hipaa-0118.05a1Organizational.2-05.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0118.05a1Organizational.2-05.a"
      },
      {
        "name": "hipaa-0119.05a1Organizational.3-05.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0119.05a1Organizational.3-05.a"
      },
      {
        "name": "hipaa-0120.05a1Organizational.4-05.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0120.05a1Organizational.4-05.a"
      },
      {
        "name": "hipaa-0121.05a2Organizational.12-05.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0121.05a2Organizational.12-05.a"
      },
      {
        "name": "hipaa-0122.05a2Organizational.3-05.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0122.05a2Organizational.3-05.a"
      },
      {
        "name": "hipaa-0123.05a2Organizational.4-05.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0123.05a2Organizational.4-05.a"
      },
      {
        "name": "hipaa-0124.05a3Organizational.1-05.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0124.05a3Organizational.1-05.a"
      },
      {
        "name": "hipaa-0125.05a3Organizational.2-05.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0125.05a3Organizational.2-05.a"
      },
      {
        "name": "hipaa-0135.02f1Organizational.56-02.f",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0135.02f1Organizational.56-02.f"
      },
      {
        "name": "hipaa-0137.02a1Organizational.3-02.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0137.02a1Organizational.3-02.a"
      },
      {
        "name": "hipaa-0162.04b1Organizational.2-04.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0162.04b1Organizational.2-04.b"
      },
      {
        "name": "hipaa-0165.05a3Organizational.3-05.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0165.05a3Organizational.3-05.a"
      },
      {
        "name": "hipaa-0177.05h1Organizational.12-05.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0177.05h1Organizational.12-05.h"
      },
      {
        "name": "hipaa-0178.05h1Organizational.3-05.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0178.05h1Organizational.3-05.h"
      },
      {
        "name": "hipaa-0179.05h1Organizational.4-05.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0179.05h1Organizational.4-05.h"
      },
      {
        "name": "hipaa-0180.05h2Organizational.1-05.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0180.05h2Organizational.1-05.h"
      },
      {
        "name": "hipaa-0197.02d2Organizational.4-02.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0197.02d2Organizational.4-02.d"
      },
      {
        "name": "hipaa-0201.09j1Organizational.124-09.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0201.09j1Organizational.124-09.j"
      },
      {
        "name": "hipaa-0202.09j1Organizational.3-09.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0202.09j1Organizational.3-09.j"
      },
      {
        "name": "hipaa-0204.09j2Organizational.1-09.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0204.09j2Organizational.1-09.j"
      },
      {
        "name": "hipaa-0205.09j2Organizational.2-09.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0205.09j2Organizational.2-09.j"
      },
      {
        "name": "hipaa-0206.09j2Organizational.34-09.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0206.09j2Organizational.34-09.j"
      },
      {
        "name": "hipaa-0207.09j2Organizational.56-09.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0207.09j2Organizational.56-09.j"
      },
      {
        "name": "hipaa-0208.09j2Organizational.7-09.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0208.09j2Organizational.7-09.j"
      },
      {
        "name": "hipaa-0209.09m3Organizational.7-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0209.09m3Organizational.7-09.m"
      },
      {
        "name": "hipaa-0214.09j1Organizational.6-09.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0214.09j1Organizational.6-09.j"
      },
      {
        "name": "hipaa-0215.09j2Organizational.8-09.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0215.09j2Organizational.8-09.j"
      },
      {
        "name": "hipaa-0216.09j2Organizational.9-09.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0216.09j2Organizational.9-09.j"
      },
      {
        "name": "hipaa-0217.09j2Organizational.10-09.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0217.09j2Organizational.10-09.j"
      },
      {
        "name": "hipaa-0219.09j2Organizational.12-09.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0219.09j2Organizational.12-09.j"
      },
      {
        "name": "hipaa-0225.09k1Organizational.1-09.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0225.09k1Organizational.1-09.k"
      },
      {
        "name": "hipaa-0226.09k1Organizational.2-09.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0226.09k1Organizational.2-09.k"
      },
      {
        "name": "hipaa-0227.09k2Organizational.12-09.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0227.09k2Organizational.12-09.k"
      },
      {
        "name": "hipaa-0228.09k2Organizational.3-09.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0228.09k2Organizational.3-09.k"
      },
      {
        "name": "hipaa-0301.09o1Organizational.123-09.o",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0301.09o1Organizational.123-09.o"
      },
      {
        "name": "hipaa-0302.09o2Organizational.1-09.o",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0302.09o2Organizational.1-09.o"
      },
      {
        "name": "hipaa-0303.09o2Organizational.2-09.o",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0303.09o2Organizational.2-09.o"
      },
      {
        "name": "hipaa-0304.09o3Organizational.1-09.o",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0304.09o3Organizational.1-09.o"
      },
      {
        "name": "hipaa-0305.09q1Organizational.12-09.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0305.09q1Organizational.12-09.q"
      },
      {
        "name": "hipaa-0306.09q1Organizational.3-09.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0306.09q1Organizational.3-09.q"
      },
      {
        "name": "hipaa-0307.09q2Organizational.12-09.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0307.09q2Organizational.12-09.q"
      },
      {
        "name": "hipaa-0308.09q3Organizational.1-09.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0308.09q3Organizational.1-09.q"
      },
      {
        "name": "hipaa-0314.09q3Organizational.2-09.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0314.09q3Organizational.2-09.q"
      },
      {
        "name": "hipaa-0401.01x1System.124579-01.x",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0401.01x1System.124579-01.x"
      },
      {
        "name": "hipaa-0403.01x1System.8-01.x",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0403.01x1System.8-01.x"
      },
      {
        "name": "hipaa-0404.01x1System.1011-01.x",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0404.01x1System.1011-01.x"
      },
      {
        "name": "hipaa-0405.01y1Organizational.12345678-01.y",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0405.01y1Organizational.12345678-01.y"
      },
      {
        "name": "hipaa-0407.01y2Organizational.1-01.y",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0407.01y2Organizational.1-01.y"
      },
      {
        "name": "hipaa-0408.01y3Organizational.12-01.y",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0408.01y3Organizational.12-01.y"
      },
      {
        "name": "hipaa-0409.01y3Organizational.3-01.y",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0409.01y3Organizational.3-01.y"
      },
      {
        "name": "hipaa-0410.01x1System.12-01.xMobileComputingandCommunications",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0410.01x1System.12-01.xMobileComputingandCommunications"
      },
      {
        "name": "hipaa-0415.01y1Organizational.10-01.y",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0415.01y1Organizational.10-01.y"
      },
      {
        "name": "hipaa-0416.01y3Organizational.4-01.y",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0416.01y3Organizational.4-01.y"
      },
      {
        "name": "hipaa-0417.01y3Organizational.5-01.y",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0417.01y3Organizational.5-01.y"
      },
      {
        "name": "hipaa-0425.01x1System.13-01.x",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0425.01x1System.13-01.x"
      },
      {
        "name": "hipaa-0426.01x2System.1-01.x",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0426.01x2System.1-01.x"
      },
      {
        "name": "hipaa-0427.01x2System.2-01.x",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0427.01x2System.2-01.x"
      },
      {
        "name": "hipaa-0428.01x2System.3-01.x",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0428.01x2System.3-01.x"
      },
      {
        "name": "hipaa-0429.01x1System.14-01.x",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0429.01x1System.14-01.x"
      },
      {
        "name": "hipaa-0501.09m1Organizational.1-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0501.09m1Organizational.1-09.m"
      },
      {
        "name": "hipaa-0502.09m1Organizational.5-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0502.09m1Organizational.5-09.m"
      },
      {
        "name": "hipaa-0503.09m1Organizational.6-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0503.09m1Organizational.6-09.m"
      },
      {
        "name": "hipaa-0504.09m2Organizational.5-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0504.09m2Organizational.5-09.m"
      },
      {
        "name": "hipaa-0505.09m2Organizational.3-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0505.09m2Organizational.3-09.m"
      },
      {
        "name": "hipaa-0601.06g1Organizational.124-06.g",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0601.06g1Organizational.124-06.g"
      },
      {
        "name": "hipaa-0602.06g1Organizational.3-06.g",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0602.06g1Organizational.3-06.g"
      },
      {
        "name": "hipaa-0603.06g2Organizational.1-06.g",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0603.06g2Organizational.1-06.g"
      },
      {
        "name": "hipaa-0604.06g2Organizational.2-06.g",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0604.06g2Organizational.2-06.g"
      },
      {
        "name": "hipaa-0605.10h1System.12-10.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0605.10h1System.12-10.h"
      },
      {
        "name": "hipaa-0606.10h2System.1-10.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0606.10h2System.1-10.h"
      },
      {
        "name": "hipaa-0607.10h2System.23-10.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0607.10h2System.23-10.h"
      },
      {
        "name": "hipaa-0613.06h1Organizational.12-06.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0613.06h1Organizational.12-06.h"
      },
      {
        "name": "hipaa-0614.06h2Organizational.12-06.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0614.06h2Organizational.12-06.h"
      },
      {
        "name": "hipaa-0615.06h2Organizational.3-06.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0615.06h2Organizational.3-06.h"
      },
      {
        "name": "hipaa-0618.09b1System.1-09.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0618.09b1System.1-09.b"
      },
      {
        "name": "hipaa-0619.09b2System.12-09.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0619.09b2System.12-09.b"
      },
      {
        "name": "hipaa-0620.09b2System.3-09.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0620.09b2System.3-09.b"
      },
      {
        "name": "hipaa-0626.10h1System.3-10.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0626.10h1System.3-10.h"
      },
      {
        "name": "hipaa-0627.10h1System.45-10.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0627.10h1System.45-10.h"
      },
      {
        "name": "hipaa-0628.10h1System.6-10.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0628.10h1System.6-10.h"
      },
      {
        "name": "hipaa-0629.10h2System.45-10.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0629.10h2System.45-10.h"
      },
      {
        "name": "hipaa-0630.10h2System.6-10.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0630.10h2System.6-10.h"
      },
      {
        "name": "hipaa-0635.10k1Organizational.12-10.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0635.10k1Organizational.12-10.k"
      },
      {
        "name": "hipaa-0636.10k2Organizational.1-10.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0636.10k2Organizational.1-10.k"
      },
      {
        "name": "hipaa-0637.10k2Organizational.2-10.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0637.10k2Organizational.2-10.k"
      },
      {
        "name": "hipaa-0638.10k2Organizational.34569-10.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0638.10k2Organizational.34569-10.k"
      },
      {
        "name": "hipaa-0639.10k2Organizational.78-10.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0639.10k2Organizational.78-10.k"
      },
      {
        "name": "hipaa-0640.10k2Organizational.1012-10.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0640.10k2Organizational.1012-10.k"
      },
      {
        "name": "hipaa-0641.10k2Organizational.11-10.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0641.10k2Organizational.11-10.k"
      },
      {
        "name": "hipaa-0642.10k3Organizational.12-10.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0642.10k3Organizational.12-10.k"
      },
      {
        "name": "hipaa-0643.10k3Organizational.3-10.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0643.10k3Organizational.3-10.k"
      },
      {
        "name": "hipaa-0644.10k3Organizational.4-10.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0644.10k3Organizational.4-10.k"
      },
      {
        "name": "hipaa-0662.09sCSPOrganizational.2-09.s",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0662.09sCSPOrganizational.2-09.s"
      },
      {
        "name": "hipaa-0663.10h1System.7-10.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0663.10h1System.7-10.h"
      },
      {
        "name": "hipaa-0663.10h2Organizational.9-10.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0663.10h2Organizational.9-10.h"
      },
      {
        "name": "hipaa-0664.10h2Organizational.10-10.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0664.10h2Organizational.10-10.h"
      },
      {
        "name": "hipaa-0669.10hCSPSystem.1-10.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0669.10hCSPSystem.1-10.h"
      },
      {
        "name": "hipaa-0670.10hCSPSystem.2-10.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0670.10hCSPSystem.2-10.h"
      },
      {
        "name": "hipaa-0671.10k1System.1-10.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0671.10k1System.1-10.k"
      },
      {
        "name": "hipaa-0672.10k3System.5-10.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0672.10k3System.5-10.k"
      },
      {
        "name": "hipaa-068.06g2Organizational.34-06.g",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-068.06g2Organizational.34-06.g"
      },
      {
        "name": "hipaa-069.06g2Organizational.56-06.g",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-069.06g2Organizational.56-06.g"
      },
      {
        "name": "hipaa-0701.07a1Organizational.12-07.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0701.07a1Organizational.12-07.a"
      },
      {
        "name": "hipaa-0702.07a1Organizational.3-07.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0702.07a1Organizational.3-07.a"
      },
      {
        "name": "hipaa-0703.07a2Organizational.1-07.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0703.07a2Organizational.1-07.a"
      },
      {
        "name": "hipaa-0704.07a3Organizational.12-07.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0704.07a3Organizational.12-07.a"
      },
      {
        "name": "hipaa-0705.07a3Organizational.3-07.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0705.07a3Organizational.3-07.a"
      },
      {
        "name": "hipaa-0706.10b1System.12-10.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0706.10b1System.12-10.b"
      },
      {
        "name": "hipaa-0707.10b2System.1-10.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0707.10b2System.1-10.b"
      },
      {
        "name": "hipaa-0708.10b2System.2-10.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0708.10b2System.2-10.b"
      },
      {
        "name": "hipaa-0709.10m1Organizational.1-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0709.10m1Organizational.1-10.m"
      },
      {
        "name": "hipaa-0710.10m2Organizational.1-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0710.10m2Organizational.1-10.m"
      },
      {
        "name": "hipaa-0711.10m2Organizational.23-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0711.10m2Organizational.23-10.m"
      },
      {
        "name": "hipaa-0712.10m2Organizational.4-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0712.10m2Organizational.4-10.m"
      },
      {
        "name": "hipaa-0713.10m2Organizational.5-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0713.10m2Organizational.5-10.m"
      },
      {
        "name": "hipaa-0714.10m2Organizational.7-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0714.10m2Organizational.7-10.m"
      },
      {
        "name": "hipaa-0715.10m2Organizational.8-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0715.10m2Organizational.8-10.m"
      },
      {
        "name": "hipaa-0716.10m3Organizational.1-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0716.10m3Organizational.1-10.m"
      },
      {
        "name": "hipaa-0717.10m3Organizational.2-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0717.10m3Organizational.2-10.m"
      },
      {
        "name": "hipaa-0718.10m3Organizational.34-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0718.10m3Organizational.34-10.m"
      },
      {
        "name": "hipaa-0719.10m3Organizational.5-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0719.10m3Organizational.5-10.m"
      },
      {
        "name": "hipaa-0720.07a1Organizational.4-07.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0720.07a1Organizational.4-07.a"
      },
      {
        "name": "hipaa-0721.07a1Organizational.5-07.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0721.07a1Organizational.5-07.a"
      },
      {
        "name": "hipaa-0722.07a1Organizational.67-07.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0722.07a1Organizational.67-07.a"
      },
      {
        "name": "hipaa-0723.07a1Organizational.8-07.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0723.07a1Organizational.8-07.a"
      },
      {
        "name": "hipaa-0724.07a3Organizational.4-07.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0724.07a3Organizational.4-07.a"
      },
      {
        "name": "hipaa-0725.07a3Organizational.5-07.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0725.07a3Organizational.5-07.a"
      },
      {
        "name": "hipaa-0733.10b2System.4-10.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0733.10b2System.4-10.b"
      },
      {
        "name": "hipaa-0786.10m2Organizational.13-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0786.10m2Organizational.13-10.m"
      },
      {
        "name": "hipaa-0787.10m2Organizational.14-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0787.10m2Organizational.14-10.m"
      },
      {
        "name": "hipaa-0788.10m3Organizational.20-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0788.10m3Organizational.20-10.m"
      },
      {
        "name": "hipaa-0789.10m3Organizational.21-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0789.10m3Organizational.21-10.m"
      },
      {
        "name": "hipaa-0790.10m3Organizational.22-10.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0790.10m3Organizational.22-10.m"
      },
      {
        "name": "hipaa-0791.10b2Organizational.4-10.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0791.10b2Organizational.4-10.b"
      },
      {
        "name": "hipaa-0805.01m1Organizational.12-01.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0805.01m1Organizational.12-01.m"
      },
      {
        "name": "hipaa-0806.01m2Organizational.12356-01.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0806.01m2Organizational.12356-01.m"
      },
      {
        "name": "hipaa-0808.10b2System.3-10.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0808.10b2System.3-10.b"
      },
      {
        "name": "hipaa-0809.01n2Organizational.1234-01.n",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0809.01n2Organizational.1234-01.n"
      },
      {
        "name": "hipaa-0810.01n2Organizational.5-01.n",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0810.01n2Organizational.5-01.n"
      },
      {
        "name": "hipaa-08101.09m2Organizational.14-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-08101.09m2Organizational.14-09.m"
      },
      {
        "name": "hipaa-08102.09nCSPOrganizational.1-09.n",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-08102.09nCSPOrganizational.1-09.n"
      },
      {
        "name": "hipaa-0811.01n2Organizational.6-01.n",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0811.01n2Organizational.6-01.n"
      },
      {
        "name": "hipaa-0812.01n2Organizational.8-01.n",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0812.01n2Organizational.8-01.n"
      },
      {
        "name": "hipaa-0814.01n1Organizational.12-01.n",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0814.01n1Organizational.12-01.n"
      },
      {
        "name": "hipaa-0815.01o2Organizational.123-01.o",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0815.01o2Organizational.123-01.o"
      },
      {
        "name": "hipaa-0816.01w1System.1-01.w",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0816.01w1System.1-01.w"
      },
      {
        "name": "hipaa-0817.01w2System.123-01.w",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0817.01w2System.123-01.w"
      },
      {
        "name": "hipaa-0818.01w3System.12-01.w",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0818.01w3System.12-01.w"
      },
      {
        "name": "hipaa-0819.09m1Organizational.23-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0819.09m1Organizational.23-09.m"
      },
      {
        "name": "hipaa-0820.09m2Organizational.1-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0820.09m2Organizational.1-09.m"
      },
      {
        "name": "hipaa-0821.09m2Organizational.2-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0821.09m2Organizational.2-09.m"
      },
      {
        "name": "hipaa-0822.09m2Organizational.4-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0822.09m2Organizational.4-09.m"
      },
      {
        "name": "hipaa-0824.09m3Organizational.1-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0824.09m3Organizational.1-09.m"
      },
      {
        "name": "hipaa-0825.09m3Organizational.23-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0825.09m3Organizational.23-09.m"
      },
      {
        "name": "hipaa-0826.09m3Organizational.45-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0826.09m3Organizational.45-09.m"
      },
      {
        "name": "hipaa-0827.09m3Organizational.6-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0827.09m3Organizational.6-09.m"
      },
      {
        "name": "hipaa-0828.09m3Organizational.8-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0828.09m3Organizational.8-09.m"
      },
      {
        "name": "hipaa-0829.09m3Organizational.911-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0829.09m3Organizational.911-09.m"
      },
      {
        "name": "hipaa-0830.09m3Organizational.1012-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0830.09m3Organizational.1012-09.m"
      },
      {
        "name": "hipaa-0832.09m3Organizational.14-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0832.09m3Organizational.14-09.m"
      },
      {
        "name": "hipaa-0835.09n1Organizational.1-09.n",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0835.09n1Organizational.1-09.n"
      },
      {
        "name": "hipaa-0836.09.n2Organizational.1-09.n",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0836.09.n2Organizational.1-09.n"
      },
      {
        "name": "hipaa-0837.09.n2Organizational.2-09.n",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0837.09.n2Organizational.2-09.n"
      },
      {
        "name": "hipaa-0850.01o1Organizational.12-01.o",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0850.01o1Organizational.12-01.o"
      },
      {
        "name": "hipaa-0858.09m1Organizational.4-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0858.09m1Organizational.4-09.m"
      },
      {
        "name": "hipaa-0859.09m1Organizational.78-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0859.09m1Organizational.78-09.m"
      },
      {
        "name": "hipaa-0860.09m1Organizational.9-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0860.09m1Organizational.9-09.m"
      },
      {
        "name": "hipaa-0861.09m2Organizational.67-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0861.09m2Organizational.67-09.m"
      },
      {
        "name": "hipaa-0862.09m2Organizational.8-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0862.09m2Organizational.8-09.m"
      },
      {
        "name": "hipaa-0863.09m2Organizational.910-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0863.09m2Organizational.910-09.m"
      },
      {
        "name": "hipaa-0864.09m2Organizational.12-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0864.09m2Organizational.12-09.m"
      },
      {
        "name": "hipaa-0865.09m2Organizational.13-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0865.09m2Organizational.13-09.m"
      },
      {
        "name": "hipaa-0866.09m3Organizational.1516-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0866.09m3Organizational.1516-09.m"
      },
      {
        "name": "hipaa-0867.09m3Organizational.17-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0867.09m3Organizational.17-09.m"
      },
      {
        "name": "hipaa-0868.09m3Organizational.18-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0868.09m3Organizational.18-09.m"
      },
      {
        "name": "hipaa-0869.09m3Organizational.19-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0869.09m3Organizational.19-09.m"
      },
      {
        "name": "hipaa-0870.09m3Organizational.20-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0870.09m3Organizational.20-09.m"
      },
      {
        "name": "hipaa-0871.09m3Organizational.22-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0871.09m3Organizational.22-09.m"
      },
      {
        "name": "hipaa-0885.09n2Organizational.3-09.n",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0885.09n2Organizational.3-09.n"
      },
      {
        "name": "hipaa-0886.09n2Organizational.4-09.n",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0886.09n2Organizational.4-09.n"
      },
      {
        "name": "hipaa-0887.09n2Organizational.5-09.n",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0887.09n2Organizational.5-09.n"
      },
      {
        "name": "hipaa-0888.09n2Organizational.6-09.n",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0888.09n2Organizational.6-09.n"
      },
      {
        "name": "hipaa-0894.01m2Organizational.7-01.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0894.01m2Organizational.7-01.m"
      },
      {
        "name": "hipaa-0901.09s1Organizational.1-09.s",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0901.09s1Organizational.1-09.s"
      },
      {
        "name": "hipaa-0902.09s2Organizational.13-09.s",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0902.09s2Organizational.13-09.s"
      },
      {
        "name": "hipaa-0903.10f1Organizational.1-10.f",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0903.10f1Organizational.1-10.f"
      },
      {
        "name": "hipaa-0904.10f2Organizational.1-10.f",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0904.10f2Organizational.1-10.f"
      },
      {
        "name": "hipaa-0911.09s1Organizational.2-09.s",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0911.09s1Organizational.2-09.s"
      },
      {
        "name": "hipaa-0912.09s1Organizational.4-09.s",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0912.09s1Organizational.4-09.s"
      },
      {
        "name": "hipaa-0913.09s1Organizational.5-09.s",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0913.09s1Organizational.5-09.s"
      },
      {
        "name": "hipaa-0914.09s1Organizational.6-09.s",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0914.09s1Organizational.6-09.s"
      },
      {
        "name": "hipaa-0915.09s2Organizational.2-09.s",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0915.09s2Organizational.2-09.s"
      },
      {
        "name": "hipaa-0916.09s2Organizational.4-09.s",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0916.09s2Organizational.4-09.s"
      },
      {
        "name": "hipaa-0925.09v1Organizational.1-09.v",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0925.09v1Organizational.1-09.v"
      },
      {
        "name": "hipaa-0926.09v1Organizational.2-09.v",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0926.09v1Organizational.2-09.v"
      },
      {
        "name": "hipaa-0927.09v1Organizational.3-09.v",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0927.09v1Organizational.3-09.v"
      },
      {
        "name": "hipaa-0928.09v1Organizational.45-09.v",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0928.09v1Organizational.45-09.v"
      },
      {
        "name": "hipaa-0929.09v1Organizational.6-09.v",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0929.09v1Organizational.6-09.v"
      },
      {
        "name": "hipaa-0938.09x1Organizational.1-09.x",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0938.09x1Organizational.1-09.x"
      },
      {
        "name": "hipaa-0939.09x2Organizational.12-09.x",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0939.09x2Organizational.12-09.x"
      },
      {
        "name": "hipaa-0940.09x2Organizational.3-09.x",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0940.09x2Organizational.3-09.x"
      },
      {
        "name": "hipaa-0941.09x2Organizational.4-09.x",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0941.09x2Organizational.4-09.x"
      },
      {
        "name": "hipaa-0942.09x2Organizational.5-09.x",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0942.09x2Organizational.5-09.x"
      },
      {
        "name": "hipaa-0943.09y1Organizational.1-09.y",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0943.09y1Organizational.1-09.y"
      },
      {
        "name": "hipaa-0944.09y1Organizational.2-09.y",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0944.09y1Organizational.2-09.y"
      },
      {
        "name": "hipaa-0945.09y1Organizational.3-09.y",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0945.09y1Organizational.3-09.y"
      },
      {
        "name": "hipaa-0946.09y2Organizational.14-09.y",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0946.09y2Organizational.14-09.y"
      },
      {
        "name": "hipaa-0947.09y2Organizational.2-09.y",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0947.09y2Organizational.2-09.y"
      },
      {
        "name": "hipaa-0948.09y2Organizational.3-09.y",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0948.09y2Organizational.3-09.y"
      },
      {
        "name": "hipaa-0949.09y2Organizational.5-09.y",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0949.09y2Organizational.5-09.y"
      },
      {
        "name": "hipaa-0960.09sCSPOrganizational.1-09.s",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0960.09sCSPOrganizational.1-09.s"
      },
      {
        "name": "hipaa-0961.09v1Organizational.7-09.v",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-0961.09v1Organizational.7-09.v"
      },
      {
        "name": "hipaa-099.09m2Organizational.11-09.m",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-099.09m2Organizational.11-09.m"
      },
      {
        "name": "hipaa-1002.01d1System.1-01.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1002.01d1System.1-01.d"
      },
      {
        "name": "hipaa-1003.01d1System.3-01.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1003.01d1System.3-01.d"
      },
      {
        "name": "hipaa-1004.01d1System.8913-01.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1004.01d1System.8913-01.d"
      },
      {
        "name": "hipaa-1005.01d1System.1011-01.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1005.01d1System.1011-01.d"
      },
      {
        "name": "hipaa-1006.01d2System.1-01.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1006.01d2System.1-01.d"
      },
      {
        "name": "hipaa-1007.01d2System.2-01.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1007.01d2System.2-01.d"
      },
      {
        "name": "hipaa-1008.01d2System.3-01.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1008.01d2System.3-01.d"
      },
      {
        "name": "hipaa-1009.01d2System.4-01.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1009.01d2System.4-01.d"
      },
      {
        "name": "hipaa-1010.01d2System.5-01.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1010.01d2System.5-01.d"
      },
      {
        "name": "hipaa-1014.01d1System.12-01.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1014.01d1System.12-01.d"
      },
      {
        "name": "hipaa-1015.01d1System.14-01.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1015.01d1System.14-01.d"
      },
      {
        "name": "hipaa-1022.01d1System.15-01.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1022.01d1System.15-01.d"
      },
      {
        "name": "hipaa-1027.01d2System.6-01.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1027.01d2System.6-01.d"
      },
      {
        "name": "hipaa-1031.01d1System.34510-01.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1031.01d1System.34510-01.d"
      },
      {
        "name": "hipaa-1106.01b1System.1-01.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1106.01b1System.1-01.b"
      },
      {
        "name": "hipaa-1107.01b1System.2-01.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1107.01b1System.2-01.b"
      },
      {
        "name": "hipaa-1108.01b1System.3-01.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1108.01b1System.3-01.b"
      },
      {
        "name": "hipaa-1109.01b1System.479-01.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1109.01b1System.479-01.b"
      },
      {
        "name": "hipaa-1110.01b1System.5-01.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1110.01b1System.5-01.b"
      },
      {
        "name": "hipaa-11109.01q1Organizational.57-01.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11109.01q1Organizational.57-01.q"
      },
      {
        "name": "hipaa-1111.01b2System.1-01.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1111.01b2System.1-01.b"
      },
      {
        "name": "hipaa-11110.01q1Organizational.6-01.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11110.01q1Organizational.6-01.q"
      },
      {
        "name": "hipaa-11111.01q2System.4-01.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11111.01q2System.4-01.q"
      },
      {
        "name": "hipaa-11112.01q2Organizational.67-01.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11112.01q2Organizational.67-01.q"
      },
      {
        "name": "hipaa-1112.01b2System.2-01.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1112.01b2System.2-01.b"
      },
      {
        "name": "hipaa-11126.01t1Organizational.12-01.t",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11126.01t1Organizational.12-01.t"
      },
      {
        "name": "hipaa-1114.01h1Organizational.123-01.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1114.01h1Organizational.123-01.h"
      },
      {
        "name": "hipaa-1115.01h1Organizational.45-01.h",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1115.01h1Organizational.45-01.h"
      },
      {
        "name": "hipaa-11154.02i1Organizational.5-02.i",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11154.02i1Organizational.5-02.i"
      },
      {
        "name": "hipaa-11155.02i2Organizational.2-02.i",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11155.02i2Organizational.2-02.i"
      },
      {
        "name": "hipaa-1116.01j1Organizational.145-01.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1116.01j1Organizational.145-01.j"
      },
      {
        "name": "hipaa-1117.01j1Organizational.23-01.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1117.01j1Organizational.23-01.j"
      },
      {
        "name": "hipaa-1118.01j2Organizational.124-01.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1118.01j2Organizational.124-01.j"
      },
      {
        "name": "hipaa-11180.01c3System.6-01.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11180.01c3System.6-01.c"
      },
      {
        "name": "hipaa-1119.01j2Organizational.3-01.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1119.01j2Organizational.3-01.j"
      },
      {
        "name": "hipaa-11190.01t1Organizational.3-01.t",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11190.01t1Organizational.3-01.t"
      },
      {
        "name": "hipaa-1120.09ab3System.9-09.ab",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1120.09ab3System.9-09.ab"
      },
      {
        "name": "hipaa-11200.01b2Organizational.3-01.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11200.01b2Organizational.3-01.b"
      },
      {
        "name": "hipaa-11208.01q1Organizational.8-01.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11208.01q1Organizational.8-01.q"
      },
      {
        "name": "hipaa-11209.01q2Organizational.9-01.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11209.01q2Organizational.9-01.q"
      },
      {
        "name": "hipaa-1121.01j3Organizational.2-01.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1121.01j3Organizational.2-01.j"
      },
      {
        "name": "hipaa-11210.01q2Organizational.10-01.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11210.01q2Organizational.10-01.q"
      },
      {
        "name": "hipaa-11211.01q2Organizational.11-01.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11211.01q2Organizational.11-01.q"
      },
      {
        "name": "hipaa-11219.01b1Organizational.10-01.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11219.01b1Organizational.10-01.b"
      },
      {
        "name": "hipaa-1122.01q1System.1-01.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1122.01q1System.1-01.q"
      },
      {
        "name": "hipaa-11220.01b1System.10-01.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-11220.01b1System.10-01.b"
      },
      {
        "name": "hipaa-1123.01q1System.2-01.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1123.01q1System.2-01.q"
      },
      {
        "name": "hipaa-1124.01q1System.34-01.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1124.01q1System.34-01.q"
      },
      {
        "name": "hipaa-1125.01q2System.1-01.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1125.01q2System.1-01.q"
      },
      {
        "name": "hipaa-1127.01q2System.3-01.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1127.01q2System.3-01.q"
      },
      {
        "name": "hipaa-1128.01q2System.5-01.q",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1128.01q2System.5-01.q"
      },
      {
        "name": "hipaa-1129.01v1System.12-01.v",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1129.01v1System.12-01.v"
      },
      {
        "name": "hipaa-1130.01v2System.1-01.v",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1130.01v2System.1-01.v"
      },
      {
        "name": "hipaa-1131.01v2System.2-01.v",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1131.01v2System.2-01.v"
      },
      {
        "name": "hipaa-1132.01v2System.3-01.v",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1132.01v2System.3-01.v"
      },
      {
        "name": "hipaa-1133.01v2System.4-01.v",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1133.01v2System.4-01.v"
      },
      {
        "name": "hipaa-1134.01v3System.1-01.v",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1134.01v3System.1-01.v"
      },
      {
        "name": "hipaa-1135.02i1Organizational.1234-02.i",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1135.02i1Organizational.1234-02.i"
      },
      {
        "name": "hipaa-1136.02i2Organizational.1-02.i",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1136.02i2Organizational.1-02.i"
      },
      {
        "name": "hipaa-1137.06e1Organizational.1-06.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1137.06e1Organizational.1-06.e"
      },
      {
        "name": "hipaa-1138.06e2Organizational.12-06.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1138.06e2Organizational.12-06.e"
      },
      {
        "name": "hipaa-1139.01b1System.68-01.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1139.01b1System.68-01.b"
      },
      {
        "name": "hipaa-1143.01c1System.123-01.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1143.01c1System.123-01.c"
      },
      {
        "name": "hipaa-1144.01c1System.4-01.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1144.01c1System.4-01.c"
      },
      {
        "name": "hipaa-1145.01c2System.1-01.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1145.01c2System.1-01.c"
      },
      {
        "name": "hipaa-1146.01c2System.23-01.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1146.01c2System.23-01.c"
      },
      {
        "name": "hipaa-1147.01c2System.456-01.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1147.01c2System.456-01.c"
      },
      {
        "name": "hipaa-1148.01c2System.78-01.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1148.01c2System.78-01.c"
      },
      {
        "name": "hipaa-1149.01c2System.9-01.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1149.01c2System.9-01.c"
      },
      {
        "name": "hipaa-1150.01c2System.10-01.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1150.01c2System.10-01.c"
      },
      {
        "name": "hipaa-1151.01c3System.1-01.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1151.01c3System.1-01.c"
      },
      {
        "name": "hipaa-1152.01c3System.2-01.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1152.01c3System.2-01.c"
      },
      {
        "name": "hipaa-1153.01c3System.35-01.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1153.01c3System.35-01.c"
      },
      {
        "name": "hipaa-1154.01c3System.4-01.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1154.01c3System.4-01.c"
      },
      {
        "name": "hipaa-1166.01e1System.12-01.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1166.01e1System.12-01.e"
      },
      {
        "name": "hipaa-1167.01e2System.1-01.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1167.01e2System.1-01.e"
      },
      {
        "name": "hipaa-1168.01e2System.2-01.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1168.01e2System.2-01.e"
      },
      {
        "name": "hipaa-1173.01j1Organizational.6-01.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1173.01j1Organizational.6-01.j"
      },
      {
        "name": "hipaa-1174.01j1Organizational.7-01.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1174.01j1Organizational.7-01.j"
      },
      {
        "name": "hipaa-1175.01j1Organizational.8-01.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1175.01j1Organizational.8-01.j"
      },
      {
        "name": "hipaa-1176.01j2Organizational.5-01.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1176.01j2Organizational.5-01.j"
      },
      {
        "name": "hipaa-1177.01j2Organizational.6-01.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1177.01j2Organizational.6-01.j"
      },
      {
        "name": "hipaa-1178.01j2Organizational.7-01.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1178.01j2Organizational.7-01.j"
      },
      {
        "name": "hipaa-1179.01j3Organizational.1-01.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1179.01j3Organizational.1-01.j"
      },
      {
        "name": "hipaa-1192.01l1Organizational.1-01.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1192.01l1Organizational.1-01.l"
      },
      {
        "name": "hipaa-1193.01l2Organizational.13-01.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1193.01l2Organizational.13-01.l"
      },
      {
        "name": "hipaa-1194.01l2Organizational.2-01.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1194.01l2Organizational.2-01.l"
      },
      {
        "name": "hipaa-1195.01l3Organizational.1-01.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1195.01l3Organizational.1-01.l"
      },
      {
        "name": "hipaa-1196.01l3Organizational.24-01.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1196.01l3Organizational.24-01.l"
      },
      {
        "name": "hipaa-1197.01l3Organizational.3-01.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1197.01l3Organizational.3-01.l"
      },
      {
        "name": "hipaa-1201.06e1Organizational.2-06.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1201.06e1Organizational.2-06.e"
      },
      {
        "name": "hipaa-1202.09aa1System.1-09.aa",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1202.09aa1System.1-09.aa"
      },
      {
        "name": "hipaa-1203.09aa1System.2-09.aa",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1203.09aa1System.2-09.aa"
      },
      {
        "name": "hipaa-1204.09aa1System.3-09.aa",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1204.09aa1System.3-09.aa"
      },
      {
        "name": "hipaa-1205.09aa2System.1-09.aa",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1205.09aa2System.1-09.aa"
      },
      {
        "name": "hipaa-1206.09aa2System.23-09.aa",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1206.09aa2System.23-09.aa"
      },
      {
        "name": "hipaa-1207.09aa2System.4-09.aa",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1207.09aa2System.4-09.aa"
      },
      {
        "name": "hipaa-1208.09aa3System.1-09.aa",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1208.09aa3System.1-09.aa"
      },
      {
        "name": "hipaa-1209.09aa3System.2-09.aa",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1209.09aa3System.2-09.aa"
      },
      {
        "name": "hipaa-1210.09aa3System.3-09.aa",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1210.09aa3System.3-09.aa"
      },
      {
        "name": "hipaa-12100.09ab2System.15-09.ab",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-12100.09ab2System.15-09.ab"
      },
      {
        "name": "hipaa-12101.09ab1Organizational.3-09.ab",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-12101.09ab1Organizational.3-09.ab"
      },
      {
        "name": "hipaa-12102.09ab1Organizational.4-09.ab",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-12102.09ab1Organizational.4-09.ab"
      },
      {
        "name": "hipaa-12103.09ab1Organizational.5-09.ab",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-12103.09ab1Organizational.5-09.ab"
      },
      {
        "name": "hipaa-1211.09aa3System.4-09.aa",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1211.09aa3System.4-09.aa"
      },
      {
        "name": "hipaa-1212.09ab1System.1-09.ab",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1212.09ab1System.1-09.ab"
      },
      {
        "name": "hipaa-1213.09ab2System.128-09.ab",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1213.09ab2System.128-09.ab"
      },
      {
        "name": "hipaa-1214.09ab2System.3456-09.ab",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1214.09ab2System.3456-09.ab"
      },
      {
        "name": "hipaa-1215.09ab2System.7-09.ab",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1215.09ab2System.7-09.ab"
      },
      {
        "name": "hipaa-1216.09ab3System.12-09.ab",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1216.09ab3System.12-09.ab"
      },
      {
        "name": "hipaa-1217.09ab3System.3-09.ab",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1217.09ab3System.3-09.ab"
      },
      {
        "name": "hipaa-1218.09ab3System.47-09.ab",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1218.09ab3System.47-09.ab"
      },
      {
        "name": "hipaa-1219.09ab3System.10-09.ab",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1219.09ab3System.10-09.ab"
      },
      {
        "name": "hipaa-1220.09ab3System.56-09.ab",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1220.09ab3System.56-09.ab"
      },
      {
        "name": "hipaa-1222.09ab3System.8-09.ab",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1222.09ab3System.8-09.ab"
      },
      {
        "name": "hipaa-1229.09c1Organizational.1-09.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1229.09c1Organizational.1-09.c"
      },
      {
        "name": "hipaa-1230.09c2Organizational.1-09.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1230.09c2Organizational.1-09.c"
      },
      {
        "name": "hipaa-1231.09c2Organizational.23-09.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1231.09c2Organizational.23-09.c"
      },
      {
        "name": "hipaa-1232.09c3Organizational.12-09.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1232.09c3Organizational.12-09.c"
      },
      {
        "name": "hipaa-1233.09c3Organizational.3-09.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1233.09c3Organizational.3-09.c"
      },
      {
        "name": "hipaa-1270.09ad1System.12-09.ad",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1270.09ad1System.12-09.ad"
      },
      {
        "name": "hipaa-1271.09ad1System.1-09.ad",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1271.09ad1System.1-09.ad"
      },
      {
        "name": "hipaa-1276.09c2Organizational.2-09.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1276.09c2Organizational.2-09.c"
      },
      {
        "name": "hipaa-1277.09c2Organizational.4-09.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1277.09c2Organizational.4-09.c"
      },
      {
        "name": "hipaa-1278.09c2Organizational.56-09.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1278.09c2Organizational.56-09.c"
      },
      {
        "name": "hipaa-1279.09c3Organizational.4-09.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1279.09c3Organizational.4-09.c"
      },
      {
        "name": "hipaa-1301.02e1Organizational.12-02.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1301.02e1Organizational.12-02.e"
      },
      {
        "name": "hipaa-1302.02e2Organizational.134-02.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1302.02e2Organizational.134-02.e"
      },
      {
        "name": "hipaa-1303.02e2Organizational.2-02.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1303.02e2Organizational.2-02.e"
      },
      {
        "name": "hipaa-1304.02e3Organizational.1-02.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1304.02e3Organizational.1-02.e"
      },
      {
        "name": "hipaa-1305.02e3Organizational.23-02.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1305.02e3Organizational.23-02.e"
      },
      {
        "name": "hipaa-1306.06e1Organizational.5-06.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1306.06e1Organizational.5-06.e"
      },
      {
        "name": "hipaa-1307.07c1Organizational.124-07.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1307.07c1Organizational.124-07.c"
      },
      {
        "name": "hipaa-1308.09j1Organizational.5-09.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1308.09j1Organizational.5-09.j"
      },
      {
        "name": "hipaa-1309.01x1System.36-01.x",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1309.01x1System.36-01.x"
      },
      {
        "name": "hipaa-1310.01y1Organizational.9-01.y",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1310.01y1Organizational.9-01.y"
      },
      {
        "name": "hipaa-1311.12c2Organizational.3-12.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1311.12c2Organizational.3-12.c"
      },
      {
        "name": "hipaa-1313.02e1Organizational.3-02.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1313.02e1Organizational.3-02.e"
      },
      {
        "name": "hipaa-1314.02e2Organizational.5-02.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1314.02e2Organizational.5-02.e"
      },
      {
        "name": "hipaa-1315.02e2Organizational.67-02.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1315.02e2Organizational.67-02.e"
      },
      {
        "name": "hipaa-1324.07c1Organizational.3-07.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1324.07c1Organizational.3-07.c"
      },
      {
        "name": "hipaa-1325.09s1Organizational.3-09.s",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1325.09s1Organizational.3-09.s"
      },
      {
        "name": "hipaa-1326.02e1Organizational.4-02.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1326.02e1Organizational.4-02.e"
      },
      {
        "name": "hipaa-1327.02e2Organizational.8-02.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1327.02e2Organizational.8-02.e"
      },
      {
        "name": "hipaa-1331.02e3Organizational.4-02.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1331.02e3Organizational.4-02.e"
      },
      {
        "name": "hipaa-1334.02e2Organizational.12-02.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1334.02e2Organizational.12-02.e"
      },
      {
        "name": "hipaa-1336.02e1Organizational.5-02.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1336.02e1Organizational.5-02.e"
      },
      {
        "name": "hipaa-1401.05i1Organizational.1239-05.i",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1401.05i1Organizational.1239-05.i"
      },
      {
        "name": "hipaa-1402.05i1Organizational.45-05.i",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1402.05i1Organizational.45-05.i"
      },
      {
        "name": "hipaa-1403.05i1Organizational.67-05.i",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1403.05i1Organizational.67-05.i"
      },
      {
        "name": "hipaa-1404.05i2Organizational.1-05.i",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1404.05i2Organizational.1-05.i"
      },
      {
        "name": "hipaa-1406.05k1Organizational.110-05.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1406.05k1Organizational.110-05.k"
      },
      {
        "name": "hipaa-1407.05k2Organizational.1-05.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1407.05k2Organizational.1-05.k"
      },
      {
        "name": "hipaa-1408.09e1System.1-09.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1408.09e1System.1-09.e"
      },
      {
        "name": "hipaa-1409.09e2System.1-09.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1409.09e2System.1-09.e"
      },
      {
        "name": "hipaa-1410.09e2System.23-09.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1410.09e2System.23-09.e"
      },
      {
        "name": "hipaa-1411.09f1System.1-09.f",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1411.09f1System.1-09.f"
      },
      {
        "name": "hipaa-1412.09f2System.12-09.f",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1412.09f2System.12-09.f"
      },
      {
        "name": "hipaa-1413.09f2System.3-09.f",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1413.09f2System.3-09.f"
      },
      {
        "name": "hipaa-1416.10l1Organizational.1-10.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1416.10l1Organizational.1-10.l"
      },
      {
        "name": "hipaa-1417.10l2Organizational.1-10.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1417.10l2Organizational.1-10.l"
      },
      {
        "name": "hipaa-1418.05i1Organizational.8-05.i",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1418.05i1Organizational.8-05.i"
      },
      {
        "name": "hipaa-1419.05j1Organizational.12-05.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1419.05j1Organizational.12-05.j"
      },
      {
        "name": "hipaa-1421.05j2Organizational.12-05.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1421.05j2Organizational.12-05.j"
      },
      {
        "name": "hipaa-1422.05j2Organizational.3-05.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1422.05j2Organizational.3-05.j"
      },
      {
        "name": "hipaa-1423.05j2Organizational.4-05.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1423.05j2Organizational.4-05.j"
      },
      {
        "name": "hipaa-1424.05j2Organizational.5-05.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1424.05j2Organizational.5-05.j"
      },
      {
        "name": "hipaa-1428.05k1Organizational.2-05.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1428.05k1Organizational.2-05.k"
      },
      {
        "name": "hipaa-1429.05k1Organizational.34-05.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1429.05k1Organizational.34-05.k"
      },
      {
        "name": "hipaa-1430.05k1Organizational.56-05.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1430.05k1Organizational.56-05.k"
      },
      {
        "name": "hipaa-1431.05k1Organizational.7-05.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1431.05k1Organizational.7-05.k"
      },
      {
        "name": "hipaa-1432.05k1Organizational.89-05.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1432.05k1Organizational.89-05.k"
      },
      {
        "name": "hipaa-1438.09e2System.4-09.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1438.09e2System.4-09.e"
      },
      {
        "name": "hipaa-1442.09f2System.456-09.f",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1442.09f2System.456-09.f"
      },
      {
        "name": "hipaa-1450.05i2Organizational.2-05.i",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1450.05i2Organizational.2-05.i"
      },
      {
        "name": "hipaa-1451.05iCSPOrganizational.2-05.i",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1451.05iCSPOrganizational.2-05.i"
      },
      {
        "name": "hipaa-1452.05kCSPOrganizational.1-05.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1452.05kCSPOrganizational.1-05.k"
      },
      {
        "name": "hipaa-1453.05kCSPOrganizational.2-05.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1453.05kCSPOrganizational.2-05.k"
      },
      {
        "name": "hipaa-1454.05kCSPOrganizational.3-05.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1454.05kCSPOrganizational.3-05.k"
      },
      {
        "name": "hipaa-1455.05kCSPOrganizational.4-05.k",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1455.05kCSPOrganizational.4-05.k"
      },
      {
        "name": "hipaa-1464.09e2Organizational.5-09.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1464.09e2Organizational.5-09.e"
      },
      {
        "name": "hipaa-1501.02f1Organizational.123-02.f",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1501.02f1Organizational.123-02.f"
      },
      {
        "name": "hipaa-1502.02f1Organizational.4-02.f",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1502.02f1Organizational.4-02.f"
      },
      {
        "name": "hipaa-1503.02f2Organizational.12-02.f",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1503.02f2Organizational.12-02.f"
      },
      {
        "name": "hipaa-1504.06e1Organizational.34-06.e",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1504.06e1Organizational.34-06.e"
      },
      {
        "name": "hipaa-1505.11a1Organizational.13-11.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1505.11a1Organizational.13-11.a"
      },
      {
        "name": "hipaa-1506.11a1Organizational.2-11.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1506.11a1Organizational.2-11.a"
      },
      {
        "name": "hipaa-1507.11a1Organizational.4-11.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1507.11a1Organizational.4-11.a"
      },
      {
        "name": "hipaa-1508.11a2Organizational.1-11.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1508.11a2Organizational.1-11.a"
      },
      {
        "name": "hipaa-1509.11a2Organizational.236-11.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1509.11a2Organizational.236-11.a"
      },
      {
        "name": "hipaa-1510.11a2Organizational.47-11.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1510.11a2Organizational.47-11.a"
      },
      {
        "name": "hipaa-1511.11a2Organizational.5-11.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1511.11a2Organizational.5-11.a"
      },
      {
        "name": "hipaa-1512.11a2Organizational.8-11.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1512.11a2Organizational.8-11.a"
      },
      {
        "name": "hipaa-1514.11a3Organizational.12-11.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1514.11a3Organizational.12-11.a"
      },
      {
        "name": "hipaa-1515.11a3Organizational.3-11.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1515.11a3Organizational.3-11.a"
      },
      {
        "name": "hipaa-1516.11c1Organizational.12-11.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1516.11c1Organizational.12-11.c"
      },
      {
        "name": "hipaa-1517.11c1Organizational.3-11.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1517.11c1Organizational.3-11.c"
      },
      {
        "name": "hipaa-1518.11c2Organizational.13-11.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1518.11c2Organizational.13-11.c"
      },
      {
        "name": "hipaa-1519.11c2Organizational.2-11.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1519.11c2Organizational.2-11.c"
      },
      {
        "name": "hipaa-1520.11c2Organizational.4-11.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1520.11c2Organizational.4-11.c"
      },
      {
        "name": "hipaa-1521.11c2Organizational.56-11.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1521.11c2Organizational.56-11.c"
      },
      {
        "name": "hipaa-1522.11c3Organizational.13-11.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1522.11c3Organizational.13-11.c"
      },
      {
        "name": "hipaa-1523.11c3Organizational.24-11.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1523.11c3Organizational.24-11.c"
      },
      {
        "name": "hipaa-1524.11a1Organizational.5-11.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1524.11a1Organizational.5-11.a"
      },
      {
        "name": "hipaa-1525.11a1Organizational.6-11.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1525.11a1Organizational.6-11.a"
      },
      {
        "name": "hipaa-1560.11d1Organizational.1-11.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1560.11d1Organizational.1-11.d"
      },
      {
        "name": "hipaa-1561.11d2Organizational.14-11.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1561.11d2Organizational.14-11.d"
      },
      {
        "name": "hipaa-1562.11d2Organizational.2-11.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1562.11d2Organizational.2-11.d"
      },
      {
        "name": "hipaa-1563.11d2Organizational.3-11.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1563.11d2Organizational.3-11.d"
      },
      {
        "name": "hipaa-1577.11aCSPOrganizational.1-11.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1577.11aCSPOrganizational.1-11.a"
      },
      {
        "name": "hipaa-1581.02f1Organizational.7-02.f",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1581.02f1Organizational.7-02.f"
      },
      {
        "name": "hipaa-1587.11c2Organizational.10-11.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1587.11c2Organizational.10-11.c"
      },
      {
        "name": "hipaa-1589.11c1Organizational.5-11.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1589.11c1Organizational.5-11.c"
      },
      {
        "name": "hipaa-1601.12c1Organizational.1238-12.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1601.12c1Organizational.1238-12.c"
      },
      {
        "name": "hipaa-1602.12c1Organizational.4567-12.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1602.12c1Organizational.4567-12.c"
      },
      {
        "name": "hipaa-1603.12c1Organizational.9-12.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1603.12c1Organizational.9-12.c"
      },
      {
        "name": "hipaa-1604.12c2Organizational.16789-12.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1604.12c2Organizational.16789-12.c"
      },
      {
        "name": "hipaa-1605.12c2Organizational.2-12.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1605.12c2Organizational.2-12.c"
      },
      {
        "name": "hipaa-1607.12c2Organizational.4-12.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1607.12c2Organizational.4-12.c"
      },
      {
        "name": "hipaa-1608.12c2Organizational.5-12.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1608.12c2Organizational.5-12.c"
      },
      {
        "name": "hipaa-1609.12c3Organizational.12-12.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1609.12c3Organizational.12-12.c"
      },
      {
        "name": "hipaa-1616.09l1Organizational.16-09.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1616.09l1Organizational.16-09.l"
      },
      {
        "name": "hipaa-1617.09l1Organizational.23-09.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1617.09l1Organizational.23-09.l"
      },
      {
        "name": "hipaa-1618.09l1Organizational.45-09.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1618.09l1Organizational.45-09.l"
      },
      {
        "name": "hipaa-1619.09l1Organizational.7-09.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1619.09l1Organizational.7-09.l"
      },
      {
        "name": "hipaa-1620.09l1Organizational.8-09.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1620.09l1Organizational.8-09.l"
      },
      {
        "name": "hipaa-1621.09l2Organizational.1-09.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1621.09l2Organizational.1-09.l"
      },
      {
        "name": "hipaa-1622.09l2Organizational.23-09.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1622.09l2Organizational.23-09.l"
      },
      {
        "name": "hipaa-1623.09l2Organizational.4-09.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1623.09l2Organizational.4-09.l"
      },
      {
        "name": "hipaa-1624.09l3Organizational.12-09.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1624.09l3Organizational.12-09.l"
      },
      {
        "name": "hipaa-1625.09l3Organizational.34-09.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1625.09l3Organizational.34-09.l"
      },
      {
        "name": "hipaa-1626.09l3Organizational.5-09.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1626.09l3Organizational.5-09.l"
      },
      {
        "name": "hipaa-1627.09l3Organizational.6-09.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1627.09l3Organizational.6-09.l"
      },
      {
        "name": "hipaa-1634.12b1Organizational.1-12.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1634.12b1Organizational.1-12.b"
      },
      {
        "name": "hipaa-1635.12b1Organizational.2-12.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1635.12b1Organizational.2-12.b"
      },
      {
        "name": "hipaa-1636.12b2Organizational.1-12.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1636.12b2Organizational.1-12.b"
      },
      {
        "name": "hipaa-1637.12b2Organizational.2-12.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1637.12b2Organizational.2-12.b"
      },
      {
        "name": "hipaa-1638.12b2Organizational.345-12.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1638.12b2Organizational.345-12.b"
      },
      {
        "name": "hipaa-1666.12d1Organizational.1235-12.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1666.12d1Organizational.1235-12.d"
      },
      {
        "name": "hipaa-1667.12d1Organizational.4-12.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1667.12d1Organizational.4-12.d"
      },
      {
        "name": "hipaa-1668.12d1Organizational.67-12.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1668.12d1Organizational.67-12.d"
      },
      {
        "name": "hipaa-1669.12d1Organizational.8-12.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1669.12d1Organizational.8-12.d"
      },
      {
        "name": "hipaa-1670.12d2Organizational.1-12.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1670.12d2Organizational.1-12.d"
      },
      {
        "name": "hipaa-1671.12d2Organizational.2-12.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1671.12d2Organizational.2-12.d"
      },
      {
        "name": "hipaa-1672.12d2Organizational.3-12.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1672.12d2Organizational.3-12.d"
      },
      {
        "name": "hipaa-1699.09l1Organizational.10-09.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1699.09l1Organizational.10-09.l"
      },
      {
        "name": "hipaa-1704.03b1Organizational.12-03.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1704.03b1Organizational.12-03.b"
      },
      {
        "name": "hipaa-1705.03b2Organizational.12-03.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1705.03b2Organizational.12-03.b"
      },
      {
        "name": "hipaa-1706.03b1Organizational.3-03.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1706.03b1Organizational.3-03.b"
      },
      {
        "name": "hipaa-1707.03c1Organizational.12-03.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1707.03c1Organizational.12-03.c"
      },
      {
        "name": "hipaa-1708.03c2Organizational.12-03.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1708.03c2Organizational.12-03.c"
      },
      {
        "name": "hipaa-17101.10a3Organizational.6-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-17101.10a3Organizational.6-10.a"
      },
      {
        "name": "hipaa-17120.10a3Organizational.5-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-17120.10a3Organizational.5-10.a"
      },
      {
        "name": "hipaa-17126.03c1System.6-03.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-17126.03c1System.6-03.c"
      },
      {
        "name": "hipaa-1713.03c1Organizational.3-03.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1713.03c1Organizational.3-03.c"
      },
      {
        "name": "hipaa-1733.03d1Organizational.1-03.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1733.03d1Organizational.1-03.d"
      },
      {
        "name": "hipaa-1734.03d2Organizational.1-03.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1734.03d2Organizational.1-03.d"
      },
      {
        "name": "hipaa-1735.03d2Organizational.23-03.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1735.03d2Organizational.23-03.d"
      },
      {
        "name": "hipaa-1736.03d2Organizational.4-03.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1736.03d2Organizational.4-03.d"
      },
      {
        "name": "hipaa-1737.03d2Organizational.5-03.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1737.03d2Organizational.5-03.d"
      },
      {
        "name": "hipaa-1780.10a1Organizational.1-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1780.10a1Organizational.1-10.a"
      },
      {
        "name": "hipaa-1781.10a1Organizational.23-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1781.10a1Organizational.23-10.a"
      },
      {
        "name": "hipaa-1782.10a1Organizational.4-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1782.10a1Organizational.4-10.a"
      },
      {
        "name": "hipaa-1783.10a1Organizational.56-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1783.10a1Organizational.56-10.a"
      },
      {
        "name": "hipaa-1784.10a1Organizational.7-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1784.10a1Organizational.7-10.a"
      },
      {
        "name": "hipaa-1785.10a1Organizational.8-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1785.10a1Organizational.8-10.a"
      },
      {
        "name": "hipaa-1786.10a1Organizational.9-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1786.10a1Organizational.9-10.a"
      },
      {
        "name": "hipaa-1787.10a2Organizational.1-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1787.10a2Organizational.1-10.a"
      },
      {
        "name": "hipaa-1788.10a2Organizational.2-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1788.10a2Organizational.2-10.a"
      },
      {
        "name": "hipaa-1789.10a2Organizational.3-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1789.10a2Organizational.3-10.a"
      },
      {
        "name": "hipaa-1790.10a2Organizational.45-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1790.10a2Organizational.45-10.a"
      },
      {
        "name": "hipaa-1791.10a2Organizational.6-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1791.10a2Organizational.6-10.a"
      },
      {
        "name": "hipaa-1792.10a2Organizational.7814-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1792.10a2Organizational.7814-10.a"
      },
      {
        "name": "hipaa-1793.10a2Organizational.91011-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1793.10a2Organizational.91011-10.a"
      },
      {
        "name": "hipaa-1794.10a2Organizational.12-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1794.10a2Organizational.12-10.a"
      },
      {
        "name": "hipaa-1795.10a2Organizational.13-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1795.10a2Organizational.13-10.a"
      },
      {
        "name": "hipaa-1796.10a2Organizational.15-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1796.10a2Organizational.15-10.a"
      },
      {
        "name": "hipaa-1797.10a3Organizational.1-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1797.10a3Organizational.1-10.a"
      },
      {
        "name": "hipaa-1798.10a3Organizational.2-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1798.10a3Organizational.2-10.a"
      },
      {
        "name": "hipaa-1799.10a3Organizational.34-10.a",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1799.10a3Organizational.34-10.a"
      },
      {
        "name": "hipaa-1801.08b1Organizational.124-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1801.08b1Organizational.124-08.b"
      },
      {
        "name": "hipaa-1802.08b1Organizational.3-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1802.08b1Organizational.3-08.b"
      },
      {
        "name": "hipaa-1803.08b1Organizational.5-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1803.08b1Organizational.5-08.b"
      },
      {
        "name": "hipaa-1804.08b2Organizational.12-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1804.08b2Organizational.12-08.b"
      },
      {
        "name": "hipaa-1805.08b2Organizational.3-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1805.08b2Organizational.3-08.b"
      },
      {
        "name": "hipaa-1806.08b2Organizational.4-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1806.08b2Organizational.4-08.b"
      },
      {
        "name": "hipaa-1807.08b2Organizational.56-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1807.08b2Organizational.56-08.b"
      },
      {
        "name": "hipaa-1808.08b2Organizational.7-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1808.08b2Organizational.7-08.b"
      },
      {
        "name": "hipaa-1809.08b3Organizational.1-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1809.08b3Organizational.1-08.b"
      },
      {
        "name": "hipaa-1810.08b3Organizational.2-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1810.08b3Organizational.2-08.b"
      },
      {
        "name": "hipaa-18108.08j1Organizational.1-08.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-18108.08j1Organizational.1-08.j"
      },
      {
        "name": "hipaa-18109.08j1Organizational.4-08.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-18109.08j1Organizational.4-08.j"
      },
      {
        "name": "hipaa-1811.08b3Organizational.3-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1811.08b3Organizational.3-08.b"
      },
      {
        "name": "hipaa-18110.08j1Organizational.5-08.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-18110.08j1Organizational.5-08.j"
      },
      {
        "name": "hipaa-18111.08j1Organizational.6-08.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-18111.08j1Organizational.6-08.j"
      },
      {
        "name": "hipaa-18112.08j3Organizational.4-08.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-18112.08j3Organizational.4-08.j"
      },
      {
        "name": "hipaa-1812.08b3Organizational.46-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1812.08b3Organizational.46-08.b"
      },
      {
        "name": "hipaa-18127.08l1Organizational.3-08.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-18127.08l1Organizational.3-08.l"
      },
      {
        "name": "hipaa-1813.08b3Organizational.56-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1813.08b3Organizational.56-08.b"
      },
      {
        "name": "hipaa-18130.09p1Organizational.24-09.p",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-18130.09p1Organizational.24-09.p"
      },
      {
        "name": "hipaa-18131.09p1Organizational.3-09.p",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-18131.09p1Organizational.3-09.p"
      },
      {
        "name": "hipaa-1814.08d1Organizational.12-08.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1814.08d1Organizational.12-08.d"
      },
      {
        "name": "hipaa-18145.08b3Organizational.7-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-18145.08b3Organizational.7-08.b"
      },
      {
        "name": "hipaa-18146.08b3Organizational.8-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-18146.08b3Organizational.8-08.b"
      },
      {
        "name": "hipaa-1815.08d2Organizational.123-08.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1815.08d2Organizational.123-08.d"
      },
      {
        "name": "hipaa-1816.08d2Organizational.4-08.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1816.08d2Organizational.4-08.d"
      },
      {
        "name": "hipaa-1817.08d3Organizational.12-08.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1817.08d3Organizational.12-08.d"
      },
      {
        "name": "hipaa-1818.08d3Organizational.3-08.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1818.08d3Organizational.3-08.d"
      },
      {
        "name": "hipaa-1819.08j1Organizational.23-08.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1819.08j1Organizational.23-08.j"
      },
      {
        "name": "hipaa-1820.08j2Organizational.1-08.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1820.08j2Organizational.1-08.j"
      },
      {
        "name": "hipaa-1821.08j2Organizational.3-08.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1821.08j2Organizational.3-08.j"
      },
      {
        "name": "hipaa-1822.08j2Organizational.2-08.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1822.08j2Organizational.2-08.j"
      },
      {
        "name": "hipaa-1823.08j3Organizational.12-08.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1823.08j3Organizational.12-08.j"
      },
      {
        "name": "hipaa-1824.08j3Organizational.3-08.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1824.08j3Organizational.3-08.j"
      },
      {
        "name": "hipaa-1825.08l1Organizational.12456-08.l",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1825.08l1Organizational.12456-08.l"
      },
      {
        "name": "hipaa-1826.09p1Organizational.1-09.p",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1826.09p1Organizational.1-09.p"
      },
      {
        "name": "hipaa-1827.09p2Organizational.1-09.p",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1827.09p2Organizational.1-09.p"
      },
      {
        "name": "hipaa-1844.08b1Organizational.6-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1844.08b1Organizational.6-08.b"
      },
      {
        "name": "hipaa-1845.08b1Organizational.7-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1845.08b1Organizational.7-08.b"
      },
      {
        "name": "hipaa-1846.08b2Organizational.8-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1846.08b2Organizational.8-08.b"
      },
      {
        "name": "hipaa-1847.08b2Organizational.910-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1847.08b2Organizational.910-08.b"
      },
      {
        "name": "hipaa-1848.08b2Organizational.11-08.b",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1848.08b2Organizational.11-08.b"
      },
      {
        "name": "hipaa-1862.08d1Organizational.3-08.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1862.08d1Organizational.3-08.d"
      },
      {
        "name": "hipaa-1863.08d1Organizational.4-08.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1863.08d1Organizational.4-08.d"
      },
      {
        "name": "hipaa-1901.06d1Organizational.1-06.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1901.06d1Organizational.1-06.d"
      },
      {
        "name": "hipaa-1902.06d1Organizational.2-06.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1902.06d1Organizational.2-06.d"
      },
      {
        "name": "hipaa-1903.06d1Organizational.3456711-06.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1903.06d1Organizational.3456711-06.d"
      },
      {
        "name": "hipaa-1904.06.d2Organizational.1-06.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1904.06.d2Organizational.1-06.d"
      },
      {
        "name": "hipaa-1906.06.c1Organizational.2-06.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1906.06.c1Organizational.2-06.c"
      },
      {
        "name": "hipaa-1907.06.c1Organizational.3-06.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1907.06.c1Organizational.3-06.c"
      },
      {
        "name": "hipaa-1908.06.c1Organizational.4-06.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1908.06.c1Organizational.4-06.c"
      },
      {
        "name": "hipaa-1911.06d1Organizational.13-06.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-1911.06d1Organizational.13-06.d"
      },
      {
        "name": "hipaa-19134.05j1Organizational.5-05.j",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-19134.05j1Organizational.5-05.j"
      },
      {
        "name": "hipaa-19141.06c1Organizational.7-06.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-19141.06c1Organizational.7-06.c"
      },
      {
        "name": "hipaa-19142.06c1Organizational.8-06.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-19142.06c1Organizational.8-06.c"
      },
      {
        "name": "hipaa-19143.06c1Organizational.9-06.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-19143.06c1Organizational.9-06.c"
      },
      {
        "name": "hipaa-19144.06c2Organizational.1-06.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-19144.06c2Organizational.1-06.c"
      },
      {
        "name": "hipaa-19145.06c2Organizational.2-06.c",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-19145.06c2Organizational.2-06.c"
      },
      {
        "name": "hipaa-19242.06d1Organizational.14-06.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-19242.06d1Organizational.14-06.d"
      },
      {
        "name": "hipaa-19243.06d1Organizational.15-06.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-19243.06d1Organizational.15-06.d"
      },
      {
        "name": "hipaa-19245.06d2Organizational.2-06.d",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/hipaa-19245.06d2Organizational.2-06.d"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/a169a624-5599-4385-a696-c8d643089fab",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "a169a624-5599-4385-a696-c8d643089fab"
}
BuiltIn Regulatory Compliance False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "IRS1075 September 2016",
    "policyType": "BuiltIn",
    "description": "This initiative includes audit and virtual machine extension deployment policies that address a subset of IRS1075 September 2016 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/irs1075-blueprint.",
    "metadata": {
      "version": "5.0.0",
      "category": "Regulatory Compliance"
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers for Guest Configuration policies",
          "description": "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "logAnalyticsWorkspaceIdforVMReporting": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace ID for VM agent reporting"
        }
      },
      "listOfResourceTypesWithDiagnosticLogsEnabled": {
        "type": "Array",
        "metadata": {
          "displayName": "List of resource types that should have resource logs enabled"
        },
        "allowedValues": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ],
        "defaultValue": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ]
      },
      "listOfMembersToExcludeFromWindowsVMAdministratorsGroup": {
        "type": "String",
        "metadata": {
          "displayName": "List of users excluded from Windows VM Administrators group"
        }
      },
      "listOfMembersToIncludeInWindowsVMAdministratorsGroup": {
        "type": "String",
        "metadata": {
          "displayName": "List of users that must be included in Windows VM Administrators group"
        }
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.7.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.7.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.7.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditAnyMissingSystemUpdatesOnVirtualMachineScaleSetsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.17.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditCORSResourceAccessRestrictionsForAWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditDeprecatedAccountsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditExternalAccountsWithReadPermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditExternalAccountsWithWritePermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditHttpsOnlyAccessForAFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.16.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditHttpsOnlyAccessForAWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.16.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditHttpsOnlyAccessForAnApiApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.16.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLogAnalyticsAgentDeploymentMImageOSUnlisted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.3.3",
          "IRS_1075_9.3.3.6",
          "IRS_1075_9.3.3.11",
          "IRS_1075_9.3.17.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLogAnalyticsAgentDeploymentInVMSSVmImageOSUnlisted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.3.3",
          "IRS_1075_9.3.3.6",
          "IRS_1075_9.3.3.11",
          "IRS_1075_9.3.17.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLogAnalyticsWorkspaceforVMPreviewReportMismatch",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917",
        "parameters": {
          "logAnalyticsWorkspaceId": {
            "value": "[parameters('logAnalyticsWorkspaceIdforVMreporting')]"
          }
        },
        "groupNames": [
          "IRS_1075_9.3.3.3",
          "IRS_1075_9.3.3.6",
          "IRS_1075_9.3.3.11",
          "IRS_1075_9.3.17.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditMaximumNumberOfOwnersForASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.5",
          "IRS_1075_9.3.1.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditMinimumNumberOfOwnersForSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.5",
          "IRS_1075_9.3.1.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditOSVulnerabilitiesOnYourVirtualMachineScaleSetsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.14.3",
          "IRS_1075_9.3.17.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditRemoteDebuggingStateForAFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.12"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditRemoteDebuggingStateForAWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.12"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditRemoteDebuggingStateForAnAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.12"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditStandardTierOfDDoSProtectionIsEnabledForAVirtualNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.16.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditTheEndpointProtectionSolutionOnVirtualMachineScaleSetsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.17.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.5",
          "IRS_1075_9.3.1.6",
          "IRS_1075_9.3.1.12",
          "IRS_1075_9.3.7.5",
          "IRS_1075_9.3.16.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.5",
          "IRS_1075_9.3.1.6",
          "IRS_1075_9.3.1.12",
          "IRS_1075_9.3.7.5",
          "IRS_1075_9.3.16.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.5",
          "IRS_1075_9.3.1.6",
          "IRS_1075_9.3.7.5",
          "IRS_1075_9.3.16.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.12",
          "IRS_1075_9.3.7.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatLinuxVMsDoNotAllowRemoteConnectionsFromAccountsWithoutPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "IRS_1075_9.3.1.12"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatLinuxVMsDoNotHaveAccountsWithoutPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "IRS_1075_9.3.7.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatLinuxVMsHaveThePasswdFilePermissionsSeTTo0644",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "IRS_1075_9.3.7.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatWindowsVMsCannotreUseThePrevious24Passwords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "IRS_1075_9.3.7.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatWindowsVMsHaveAMaximumPasswordAgeOf70days",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ceb8dc2-559c-478b-a15b-733fbf1e3738",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "IRS_1075_9.3.7.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatWindowsVMsHaveAMinimumPasswordAgeOf1Day",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237b38db-ca4d-4259-9e47-7882441ca2c0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "IRS_1075_9.3.7.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatWindowsVMsHaveThePasswordComplexitySettingEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "IRS_1075_9.3.7.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatWindowsVMsRestrictTheMinimumPasswordLengthTo14Characters",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "IRS_1075_9.3.7.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatWindowsVMsStorePasswordsUsingReversibleEncryption",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da0f98fe-a24b-4ad5-af69-bd0400233661",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "IRS_1075_9.3.7.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorInternetFacingVirtualMachinesForNetworkSecurityGroupTrafficHardeningRecommendations",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.16.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.17.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.17.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.14.3",
          "IRS_1075_9.3.17.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.5.7",
          "IRS_1075_9.3.5.11",
          "IRS_1075_9.3.16.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorPossibleNetworkJustInTimeJITAccessInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.14.3",
          "IRS_1075_9.3.17.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorUnencryptedVMDisksInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.16.15"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.16.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorVMVulnerabilitiesInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.14.3",
          "IRS_1075_9.3.17.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditDiagnosticSetting",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
        "parameters": {
          "listOfResourceTypes": {
            "value": "[parameters('listOfResourceTypesWithDiagnosticLogsEnabled')]"
          }
        },
        "groupNames": [
          "IRS_1075_9.3.3.5",
          "IRS_1075_9.3.3.11"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditEnablingOfOnlySecureConnectionsToYourRedisCache",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.16.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSecureTransferToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.16.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSQLManagedInstancesWithoutAdvancedDataSecurity",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.3.5",
          "IRS_1075_9.3.3.11",
          "IRS_1075_9.3.14.3",
          "IRS_1075_9.3.16.15",
          "IRS_1075_9.3.17.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSQLServerLevelAuditingSettings",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.3.5",
          "IRS_1075_9.3.3.11"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSQLServersWithoutAdvancedDataSecurity",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.3.5",
          "IRS_1075_9.3.3.11",
          "IRS_1075_9.3.14.3",
          "IRS_1075_9.3.16.15",
          "IRS_1075_9.3.17.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditTransparentDataEncryptionStatus",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.16.15"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUnrestrictedNetworkAccessToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.12",
          "IRS_1075_9.3.16.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUsageOfCustomRBACRules",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditVirtualMachinesWithoutDisasterRecoveryConfigured",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "parameters": {},
        "groupNames": [
          "IRS_1075_9.3.6.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "AdministratorsGroupInsideWindowsVMsExcludesTheSpecifiedMembers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MembersToExclude": {
            "value": "[parameters('listOfMembersToExcludeFromWindowsVMAdministratorsGroup')]"
          }
        },
        "groupNames": [
          "IRS_1075_9.3.1.5",
          "IRS_1075_9.3.1.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "AdministratorsGroupInsideWindowsVMsIncludesTheSpecifiedMembers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MembersToInclude": {
            "value": "[parameters('listOfMembersToIncludeInWindowsVMAdministratorsGroup')]"
          }
        },
        "groupNames": [
          "IRS_1075_9.3.1.5",
          "IRS_1075_9.3.1.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditThatWindowsWebServersAreUsingScureCommunicationProtocols",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "IRS_1075_9.3.16.6"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "IRS_1075_9.3.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.1"
      },
      {
        "name": "IRS_1075_9.3.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.2"
      },
      {
        "name": "IRS_1075_9.3.1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.3"
      },
      {
        "name": "IRS_1075_9.3.1.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.4"
      },
      {
        "name": "IRS_1075_9.3.1.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.5"
      },
      {
        "name": "IRS_1075_9.3.1.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.6"
      },
      {
        "name": "IRS_1075_9.3.1.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.7"
      },
      {
        "name": "IRS_1075_9.3.1.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.8"
      },
      {
        "name": "IRS_1075_9.3.1.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.9"
      },
      {
        "name": "IRS_1075_9.3.1.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.10"
      },
      {
        "name": "IRS_1075_9.3.1.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.11"
      },
      {
        "name": "IRS_1075_9.3.1.12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.12"
      },
      {
        "name": "IRS_1075_9.3.1.13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.13"
      },
      {
        "name": "IRS_1075_9.3.1.14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.14"
      },
      {
        "name": "IRS_1075_9.3.1.15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.15"
      },
      {
        "name": "IRS_1075_9.3.1.16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.16"
      },
      {
        "name": "IRS_1075_9.3.1.17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.1.17"
      },
      {
        "name": "IRS_1075_9.3.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.2.1"
      },
      {
        "name": "IRS_1075_9.3.2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.2.2"
      },
      {
        "name": "IRS_1075_9.3.2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.2.3"
      },
      {
        "name": "IRS_1075_9.3.2.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.2.4"
      },
      {
        "name": "IRS_1075_9.3.3.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.3.1"
      },
      {
        "name": "IRS_1075_9.3.3.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.3.2"
      },
      {
        "name": "IRS_1075_9.3.3.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.3.3"
      },
      {
        "name": "IRS_1075_9.3.3.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.3.4"
      },
      {
        "name": "IRS_1075_9.3.3.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.3.5"
      },
      {
        "name": "IRS_1075_9.3.3.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.3.6"
      },
      {
        "name": "IRS_1075_9.3.3.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.3.7"
      },
      {
        "name": "IRS_1075_9.3.3.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.3.8"
      },
      {
        "name": "IRS_1075_9.3.3.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.3.9"
      },
      {
        "name": "IRS_1075_9.3.3.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.3.10"
      },
      {
        "name": "IRS_1075_9.3.3.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.3.11"
      },
      {
        "name": "IRS_1075_9.3.3.12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.3.12"
      },
      {
        "name": "IRS_1075_9.3.4.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.4.1"
      },
      {
        "name": "IRS_1075_9.3.4.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.4.2"
      },
      {
        "name": "IRS_1075_9.3.4.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.4.3"
      },
      {
        "name": "IRS_1075_9.3.4.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.4.4"
      },
      {
        "name": "IRS_1075_9.3.4.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.4.5"
      },
      {
        "name": "IRS_1075_9.3.4.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.4.6"
      },
      {
        "name": "IRS_1075_9.3.5.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.5.1"
      },
      {
        "name": "IRS_1075_9.3.5.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.5.2"
      },
      {
        "name": "IRS_1075_9.3.5.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.5.3"
      },
      {
        "name": "IRS_1075_9.3.5.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.5.4"
      },
      {
        "name": "IRS_1075_9.3.5.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.5.5"
      },
      {
        "name": "IRS_1075_9.3.5.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.5.6"
      },
      {
        "name": "IRS_1075_9.3.5.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.5.7"
      },
      {
        "name": "IRS_1075_9.3.5.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.5.8"
      },
      {
        "name": "IRS_1075_9.3.5.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.5.9"
      },
      {
        "name": "IRS_1075_9.3.5.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.5.10"
      },
      {
        "name": "IRS_1075_9.3.5.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.5.11"
      },
      {
        "name": "IRS_1075_9.3.6.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.6.1"
      },
      {
        "name": "IRS_1075_9.3.6.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.6.2"
      },
      {
        "name": "IRS_1075_9.3.6.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.6.3"
      },
      {
        "name": "IRS_1075_9.3.6.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.6.4"
      },
      {
        "name": "IRS_1075_9.3.6.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.6.5"
      },
      {
        "name": "IRS_1075_9.3.6.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.6.6"
      },
      {
        "name": "IRS_1075_9.3.6.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.6.7"
      },
      {
        "name": "IRS_1075_9.3.6.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.6.8"
      },
      {
        "name": "IRS_1075_9.3.7.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.7.1"
      },
      {
        "name": "IRS_1075_9.3.7.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.7.2"
      },
      {
        "name": "IRS_1075_9.3.7.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.7.3"
      },
      {
        "name": "IRS_1075_9.3.7.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.7.4"
      },
      {
        "name": "IRS_1075_9.3.7.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.7.5"
      },
      {
        "name": "IRS_1075_9.3.7.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.7.6"
      },
      {
        "name": "IRS_1075_9.3.7.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.7.7"
      },
      {
        "name": "IRS_1075_9.3.7.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.7.8"
      },
      {
        "name": "IRS_1075_9.3.8.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.8.1"
      },
      {
        "name": "IRS_1075_9.3.8.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.8.2"
      },
      {
        "name": "IRS_1075_9.3.8.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.8.3"
      },
      {
        "name": "IRS_1075_9.3.8.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.8.4"
      },
      {
        "name": "IRS_1075_9.3.8.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.8.5"
      },
      {
        "name": "IRS_1075_9.3.8.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.8.6"
      },
      {
        "name": "IRS_1075_9.3.8.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.8.7"
      },
      {
        "name": "IRS_1075_9.3.8.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.8.8"
      },
      {
        "name": "IRS_1075_9.3.8.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.8.9"
      },
      {
        "name": "IRS_1075_9.3.9.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.9.1"
      },
      {
        "name": "IRS_1075_9.3.9.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.9.2"
      },
      {
        "name": "IRS_1075_9.3.9.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.9.3"
      },
      {
        "name": "IRS_1075_9.3.9.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.9.4"
      },
      {
        "name": "IRS_1075_9.3.9.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.9.5"
      },
      {
        "name": "IRS_1075_9.3.10.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.10.1"
      },
      {
        "name": "IRS_1075_9.3.10.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.10.2"
      },
      {
        "name": "IRS_1075_9.3.10.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.10.3"
      },
      {
        "name": "IRS_1075_9.3.10.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.10.4"
      },
      {
        "name": "IRS_1075_9.3.10.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.10.5"
      },
      {
        "name": "IRS_1075_9.3.10.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.10.6"
      },
      {
        "name": "IRS_1075_9.3.11.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.11.1"
      },
      {
        "name": "IRS_1075_9.3.11.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.11.2"
      },
      {
        "name": "IRS_1075_9.3.11.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.11.3"
      },
      {
        "name": "IRS_1075_9.3.11.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.11.4"
      },
      {
        "name": "IRS_1075_9.3.11.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.11.5"
      },
      {
        "name": "IRS_1075_9.3.11.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.11.6"
      },
      {
        "name": "IRS_1075_9.3.11.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.11.7"
      },
      {
        "name": "IRS_1075_9.3.11.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.11.8"
      },
      {
        "name": "IRS_1075_9.3.11.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.11.9"
      },
      {
        "name": "IRS_1075_9.3.11.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.11.10"
      },
      {
        "name": "IRS_1075_9.3.12.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.12.1"
      },
      {
        "name": "IRS_1075_9.3.12.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.12.2"
      },
      {
        "name": "IRS_1075_9.3.12.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.12.3"
      },
      {
        "name": "IRS_1075_9.3.13.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.13.1"
      },
      {
        "name": "IRS_1075_9.3.13.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.13.2"
      },
      {
        "name": "IRS_1075_9.3.13.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.13.3"
      },
      {
        "name": "IRS_1075_9.3.13.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.13.4"
      },
      {
        "name": "IRS_1075_9.3.13.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.13.5"
      },
      {
        "name": "IRS_1075_9.3.13.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.13.6"
      },
      {
        "name": "IRS_1075_9.3.13.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.13.7"
      },
      {
        "name": "IRS_1075_9.3.13.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.13.8"
      },
      {
        "name": "IRS_1075_9.3.14.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.14.1"
      },
      {
        "name": "IRS_1075_9.3.14.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.14.2"
      },
      {
        "name": "IRS_1075_9.3.14.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.14.3"
      },
      {
        "name": "IRS_1075_9.3.15.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.15.1"
      },
      {
        "name": "IRS_1075_9.3.15.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.15.2"
      },
      {
        "name": "IRS_1075_9.3.15.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.15.3"
      },
      {
        "name": "IRS_1075_9.3.15.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.15.4"
      },
      {
        "name": "IRS_1075_9.3.15.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.15.5"
      },
      {
        "name": "IRS_1075_9.3.15.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.15.6"
      },
      {
        "name": "IRS_1075_9.3.15.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.15.7"
      },
      {
        "name": "IRS_1075_9.3.15.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.15.8"
      },
      {
        "name": "IRS_1075_9.3.15.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.15.9"
      },
      {
        "name": "IRS_1075_9.3.15.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.15.10"
      },
      {
        "name": "IRS_1075_9.3.16.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.16.1"
      },
      {
        "name": "IRS_1075_9.3.16.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.16.2"
      },
      {
        "name": "IRS_1075_9.3.16.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.16.3"
      },
      {
        "name": "IRS_1075_9.3.16.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.16.4"
      },
      {
        "name": "IRS_1075_9.3.16.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.16.5"
      },
      {
        "name": "IRS_1075_9.3.16.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.16.6"
      },
      {
        "name": "IRS_1075_9.3.16.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.16.7"
      },
      {
        "name": "IRS_1075_9.3.16.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.16.8"
      },
      {
        "name": "IRS_1075_9.3.16.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.16.9"
      },
      {
        "name": "IRS_1075_9.3.16.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.16.10"
      },
      {
        "name": "IRS_1075_9.3.16.11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.16.11"
      },
      {
        "name": "IRS_1075_9.3.16.12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.16.12"
      },
      {
        "name": "IRS_1075_9.3.16.13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.16.13"
      },
      {
        "name": "IRS_1075_9.3.16.14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.16.14"
      },
      {
        "name": "IRS_1075_9.3.16.15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.16.15"
      },
      {
        "name": "IRS_1075_9.3.17.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.17.1"
      },
      {
        "name": "IRS_1075_9.3.17.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.17.2"
      },
      {
        "name": "IRS_1075_9.3.17.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.17.3"
      },
      {
        "name": "IRS_1075_9.3.17.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.17.4"
      },
      {
        "name": "IRS_1075_9.3.17.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.17.5"
      },
      {
        "name": "IRS_1075_9.3.17.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.17.6"
      },
      {
        "name": "IRS_1075_9.3.17.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.17.7"
      },
      {
        "name": "IRS_1075_9.3.17.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.17.8"
      },
      {
        "name": "IRS_1075_9.3.17.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.17.9"
      },
      {
        "name": "IRS_1075_9.3.17.10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.17.10"
      },
      {
        "name": "IRS_1075_9.3.18.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/IRS_1075_9.3.18.1"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "105e0327-6175-4eb2-9af4-1fba43bdb39d"
}
BuiltIn Regulatory Compliance False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "ISO 27001:2013",
    "policyType": "BuiltIn",
    "description": "This initiative includes audit and virtual machine extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-init.",
    "metadata": {
      "version": "4.0.2",
      "category": "Regulatory Compliance"
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers for Guest Configuration policies",
          "description": "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "listOfResourceTypesWithDiagnosticLogsEnabled": {
        "type": "Array",
        "metadata": {
          "displayName": "List of resource types that should have resource logs enabled",
          "strongType": "resourceTypes"
        },
        "allowedValues": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ],
        "defaultValue": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ]
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.2.3",
          "ISO27001-2013_A.9.2.4",
          "ISO27001-2013_A.9.4.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.2.4",
          "ISO27001-2013_A.9.4.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.2.3",
          "ISO27001-2013_A.9.2.4",
          "ISO27001-2013_A.9.4.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditDependencyAgentDeploymentVmImageOSUnlisted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.12.4.1",
          "ISO27001-2013_A.12.4.3",
          "ISO27001-2013_A.12.4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditDependencyAgentDeploymentInVMSSVmImageOSUnlisted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.12.4.1",
          "ISO27001-2013_A.12.4.3",
          "ISO27001-2013_A.12.4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditDeprecatedAccountsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.2.5",
          "ISO27001-2013_A.9.2.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.2.5",
          "ISO27001-2013_A.9.2.6"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.2.3",
          "ISO27001-2013_A.9.2.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditExternalAccountsWithWritePermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.2.3",
          "ISO27001-2013_A.9.2.5"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.1.2",
          "ISO27001-2013_A.9.2.4",
          "ISO27001-2013_A.9.4.3",
          "ISO27001-2013_A.10.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.1.2",
          "ISO27001-2013_A.9.2.4",
          "ISO27001-2013_A.9.4.3",
          "ISO27001-2013_A.10.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.4.3",
          "ISO27001-2013_A.10.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.1.2",
          "ISO27001-2013_A.9.2.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVmAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "ISO27001-2013_A.9.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "ISO27001-2013_A.9.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVmPasswdFilePermissions",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "ISO27001-2013_A.9.2.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "ISO27001-2013_A.9.4.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVmMaximumPasswordAge70Days",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ceb8dc2-559c-478b-a15b-733fbf1e3738",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "ISO27001-2013_A.9.4.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVmMinimumPasswordAge1Day",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237b38db-ca4d-4259-9e47-7882441ca2c0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "ISO27001-2013_A.9.4.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "ISO27001-2013_A.9.4.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "ISO27001-2013_A.9.4.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da0f98fe-a24b-4ad5-af69-bd0400233661",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "ISO27001-2013_A.10.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditHttpsOnlyAccessForAFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.10.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditHttpsOnlyAccessForAWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.10.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditHttpsOnlyAccessForAnApiApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.10.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLogAnalyticsAgentDeploymentVmImageOSUnlisted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.12.4.1",
          "ISO27001-2013_A.12.4.3",
          "ISO27001-2013_A.12.4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLogAnalyticsAgentDeploymentInVMSSVmImageOSUnlisted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.12.4.1",
          "ISO27001-2013_A.12.4.3",
          "ISO27001-2013_A.12.4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditMaximumNumberOfOwnersForASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.6.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditMinimumNumberOfOwnersForSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.6.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.12.6.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.12.6.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.12.6.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.12.5.1",
          "ISO27001-2013_A.12.6.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.8.2.1",
          "ISO27001-2013_A.12.6.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.12.4.1",
          "ISO27001-2013_A.12.4.3",
          "ISO27001-2013_A.12.4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.10.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.10.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.13.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.12.6.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditDiagnosticSetting",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
        "parameters": {
          "listOfResourceTypes": {
            "value": "[parameters('listOfResourceTypesWithDiagnosticLogsEnabled')]"
          }
        },
        "groupNames": [
          "ISO27001-2013_A.12.4.1",
          "ISO27001-2013_A.12.4.3",
          "ISO27001-2013_A.12.4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditEnablementOfEncryptionOfAutomationAccountVariables",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.10.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditEnablingOfOnlySecureConnectionsToYourRedisCache",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.10.1.1",
          "ISO27001-2013_A.13.2.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSecureTransferToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.10.1.1",
          "ISO27001-2013_A.13.2.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSQLServerLevelAuditingSettings",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.12.4.1",
          "ISO27001-2013_A.12.4.3",
          "ISO27001-2013_A.12.4.4"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.10.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditTransparentDataEncryptionStatus",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.10.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUnrestrictedNetworkAccessToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.13.1.1"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUsageOfCustomRBACRules",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUseOfClassicStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUseOfClassicVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.1.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditVMsThatDoNotUseManagedDisks",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d",
        "parameters": {},
        "groupNames": [
          "ISO27001-2013_A.9.1.2"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "ISO27001-2013_A.5.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.5.1.1"
      },
      {
        "name": "ISO27001-2013_A.5.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.5.1.2"
      },
      {
        "name": "ISO27001-2013_A.6.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.6.1.1"
      },
      {
        "name": "ISO27001-2013_A.6.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.6.1.2"
      },
      {
        "name": "ISO27001-2013_A.6.1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.6.1.3"
      },
      {
        "name": "ISO27001-2013_A.6.1.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.6.1.4"
      },
      {
        "name": "ISO27001-2013_A.6.1.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.6.1.5"
      },
      {
        "name": "ISO27001-2013_A.6.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.6.2.1"
      },
      {
        "name": "ISO27001-2013_A.6.2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.6.2.2"
      },
      {
        "name": "ISO27001-2013_A.7.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.7.1.1"
      },
      {
        "name": "ISO27001-2013_A.7.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.7.1.2"
      },
      {
        "name": "ISO27001-2013_A.7.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.7.2.1"
      },
      {
        "name": "ISO27001-2013_A.7.2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.7.2.2"
      },
      {
        "name": "ISO27001-2013_A.7.2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.7.2.3"
      },
      {
        "name": "ISO27001-2013_A.7.3.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.7.3.1"
      },
      {
        "name": "ISO27001-2013_A.8.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.8.1.1"
      },
      {
        "name": "ISO27001-2013_A.8.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.8.1.2"
      },
      {
        "name": "ISO27001-2013_A.8.1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.8.1.3"
      },
      {
        "name": "ISO27001-2013_A.8.1.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.8.1.4"
      },
      {
        "name": "ISO27001-2013_A.8.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.8.2.1"
      },
      {
        "name": "ISO27001-2013_A.8.2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.8.2.2"
      },
      {
        "name": "ISO27001-2013_A.8.2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.8.2.3"
      },
      {
        "name": "ISO27001-2013_A.8.3.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.8.3.1"
      },
      {
        "name": "ISO27001-2013_A.8.3.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.8.3.2"
      },
      {
        "name": "ISO27001-2013_A.8.3.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.8.3.3"
      },
      {
        "name": "ISO27001-2013_A.9.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.1.1"
      },
      {
        "name": "ISO27001-2013_A.9.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.1.2"
      },
      {
        "name": "ISO27001-2013_A.9.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.2.1"
      },
      {
        "name": "ISO27001-2013_A.9.2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.2.2"
      },
      {
        "name": "ISO27001-2013_A.9.2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.2.3"
      },
      {
        "name": "ISO27001-2013_A.9.2.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.2.4"
      },
      {
        "name": "ISO27001-2013_A.9.2.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.2.5"
      },
      {
        "name": "ISO27001-2013_A.9.2.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.2.6"
      },
      {
        "name": "ISO27001-2013_A.9.3.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.3.1"
      },
      {
        "name": "ISO27001-2013_A.9.4.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.4.1"
      },
      {
        "name": "ISO27001-2013_A.9.4.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.4.2"
      },
      {
        "name": "ISO27001-2013_A.9.4.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.4.3"
      },
      {
        "name": "ISO27001-2013_A.9.4.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.4.4"
      },
      {
        "name": "ISO27001-2013_A.9.4.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.4.5"
      },
      {
        "name": "ISO27001-2013_A.10.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.10.1.1"
      },
      {
        "name": "ISO27001-2013_A.10.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.10.1.2"
      },
      {
        "name": "ISO27001-2013_A.11.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.11.1.1"
      },
      {
        "name": "ISO27001-2013_A.11.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.11.1.2"
      },
      {
        "name": "ISO27001-2013_A.11.1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.11.1.3"
      },
      {
        "name": "ISO27001-2013_A.11.1.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.11.1.4"
      },
      {
        "name": "ISO27001-2013_A.11.1.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.11.1.5"
      },
      {
        "name": "ISO27001-2013_A.11.1.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.11.1.6"
      },
      {
        "name": "ISO27001-2013_A.11.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.11.2.1"
      },
      {
        "name": "ISO27001-2013_A.11.2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.11.2.2"
      },
      {
        "name": "ISO27001-2013_A.11.2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.11.2.3"
      },
      {
        "name": "ISO27001-2013_A.11.2.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.11.2.4"
      },
      {
        "name": "ISO27001-2013_A.11.2.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.11.2.5"
      },
      {
        "name": "ISO27001-2013_A.11.2.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.11.2.6"
      },
      {
        "name": "ISO27001-2013_A.11.2.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.11.2.7"
      },
      {
        "name": "ISO27001-2013_A.11.2.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.11.2.8"
      },
      {
        "name": "ISO27001-2013_A.11.2.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.11.2.9"
      },
      {
        "name": "ISO27001-2013_A.12.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.1.1"
      },
      {
        "name": "ISO27001-2013_A.12.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.1.2"
      },
      {
        "name": "ISO27001-2013_A.12.1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.1.3"
      },
      {
        "name": "ISO27001-2013_A.12.1.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.1.4"
      },
      {
        "name": "ISO27001-2013_A.12.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.2.1"
      },
      {
        "name": "ISO27001-2013_A.12.3.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.3.1"
      },
      {
        "name": "ISO27001-2013_A.12.4.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.4.1"
      },
      {
        "name": "ISO27001-2013_A.12.4.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.4.2"
      },
      {
        "name": "ISO27001-2013_A.12.4.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.4.3"
      },
      {
        "name": "ISO27001-2013_A.12.4.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.4.4"
      },
      {
        "name": "ISO27001-2013_A.12.5.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.5.1"
      },
      {
        "name": "ISO27001-2013_A.12.6.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.6.1"
      },
      {
        "name": "ISO27001-2013_A.12.6.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.6.2"
      },
      {
        "name": "ISO27001-2013_A.12.7.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.7.1"
      },
      {
        "name": "ISO27001-2013_A.13.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.1.1"
      },
      {
        "name": "ISO27001-2013_A.13.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.1.2"
      },
      {
        "name": "ISO27001-2013_A.13.1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.1.3"
      },
      {
        "name": "ISO27001-2013_A.13.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.2.1"
      },
      {
        "name": "ISO27001-2013_A.13.2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.2.2"
      },
      {
        "name": "ISO27001-2013_A.13.2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.2.3"
      },
      {
        "name": "ISO27001-2013_A.13.2.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.2.4"
      },
      {
        "name": "ISO27001-2013_A.14.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.1.1"
      },
      {
        "name": "ISO27001-2013_A.14.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.1.2"
      },
      {
        "name": "ISO27001-2013_A.14.1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.1.3"
      },
      {
        "name": "ISO27001-2013_A.14.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.2.1"
      },
      {
        "name": "ISO27001-2013_A.14.2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.2.2"
      },
      {
        "name": "ISO27001-2013_A.14.2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.2.3"
      },
      {
        "name": "ISO27001-2013_A.14.2.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.2.4"
      },
      {
        "name": "ISO27001-2013_A.14.2.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.2.5"
      },
      {
        "name": "ISO27001-2013_A.14.2.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.2.6"
      },
      {
        "name": "ISO27001-2013_A.14.2.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.2.7"
      },
      {
        "name": "ISO27001-2013_A.14.2.8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.2.8"
      },
      {
        "name": "ISO27001-2013_A.14.2.9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.2.9"
      },
      {
        "name": "ISO27001-2013_A.14.3.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.3.1"
      },
      {
        "name": "ISO27001-2013_A.15.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.15.1.1"
      },
      {
        "name": "ISO27001-2013_A.15.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.15.1.2"
      },
      {
        "name": "ISO27001-2013_A.15.1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.15.1.3"
      },
      {
        "name": "ISO27001-2013_A.15.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.15.2.1"
      },
      {
        "name": "ISO27001-2013_A.15.2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.15.2.2"
      },
      {
        "name": "ISO27001-2013_A.16.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.16.1.1"
      },
      {
        "name": "ISO27001-2013_A.16.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.16.1.2"
      },
      {
        "name": "ISO27001-2013_A.16.1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.16.1.3"
      },
      {
        "name": "ISO27001-2013_A.16.1.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.16.1.4"
      },
      {
        "name": "ISO27001-2013_A.16.1.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.16.1.5"
      },
      {
        "name": "ISO27001-2013_A.16.1.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.16.1.6"
      },
      {
        "name": "ISO27001-2013_A.16.1.7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.16.1.7"
      },
      {
        "name": "ISO27001-2013_A.17.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.17.1.1"
      },
      {
        "name": "ISO27001-2013_A.17.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.17.1.2"
      },
      {
        "name": "ISO27001-2013_A.17.1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.17.1.3"
      },
      {
        "name": "ISO27001-2013_A.17.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.17.2.1"
      },
      {
        "name": "ISO27001-2013_A.18.1.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.18.1.1"
      },
      {
        "name": "ISO27001-2013_A.18.1.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.18.1.2"
      },
      {
        "name": "ISO27001-2013_A.18.1.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.18.1.3"
      },
      {
        "name": "ISO27001-2013_A.18.1.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.18.1.4"
      },
      {
        "name": "ISO27001-2013_A.18.1.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.18.1.5"
      },
      {
        "name": "ISO27001-2013_A.18.2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.18.2.1"
      },
      {
        "name": "ISO27001-2013_A.18.2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.18.2.2"
      },
      {
        "name": "ISO27001-2013_A.18.2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.18.2.3"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "89c6cddc-1c73-4ac1-b19c-54d1a15a42f2"
}
BuiltIn Regulatory Compliance False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "Kubernetes cluster pod security baseline standards for Linux-based workloads",
    "policyType": "BuiltIn",
    "description": "This initiative includes the policies for the Kubernetes cluster pod security baseline standards. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "1.1.1",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "NoPrivilegedContainers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "BlockUsingHostNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "allowHostNetwork": {
            "value": false
          },
          "minPort": {
            "value": 0
          },
          "maxPort": {
            "value": 0
          }
        }
      },
      {
        "policyDefinitionReferenceId": "BlockUsingHostProcessIDAndIPC",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "ContainerCapabilities",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "allowedCapabilities": {
            "value": [
              "CHOWN",
              "DAC_OVERRIDE",
              "FSETID",
              "FOWNER",
              "MKNOD",
              "NET_RAW",
              "SETGID",
              "SETUID",
              "SETFCAP",
              "SETPCAP",
              "NET_BIND_SERVICE",
              "SYS_CHROOT",
              "KILL",
              "AUDIT_WRITE"
            ]
          },
          "requiredDropCapabilities": {
            "value": []
          }
        }
      },
      {
        "policyDefinitionReferenceId": "NoHostPathVolume",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "allowedHostPaths": {
            "value": {
              "paths": []
            }
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "a8640138-9b0a-4a28-b8cb-1666c838647d"
}
BuiltIn Kubernetes False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "Kubernetes cluster pod security restricted standards for Linux-based workloads",
    "policyType": "BuiltIn",
    "description": "This initiative includes the policies for the Kubernetes cluster pod security restricted standards. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "2.1.1",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": []
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "NoPrivilegedContainers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "NoPrivilegeEscalation",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "BlockUsingHostNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "allowHostNetwork": {
            "value": false
          },
          "minPort": {
            "value": 0
          },
          "maxPort": {
            "value": 0
          }
        }
      },
      {
        "policyDefinitionReferenceId": "BlockUsingHostProcessIDAndIPC",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "ContainerCapabilities",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "allowedCapabilities": {
            "value": [
              "CHOWN",
              "DAC_OVERRIDE",
              "FSETID",
              "FOWNER",
              "MKNOD",
              "NET_RAW",
              "SETGID",
              "SETUID",
              "SETFCAP",
              "SETPCAP",
              "NET_BIND_SERVICE",
              "SYS_CHROOT",
              "KILL",
              "AUDIT_WRITE"
            ]
          },
          "requiredDropCapabilities": {
            "value": []
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AllowedVolumeTypes",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/16697877-1118-4fb1-9b65-9898ec2509ec",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "allowedVolumeTypes": {
            "value": [
              "configMap",
              "emptyDir",
              "projected",
              "secret",
              "downwardAPI",
              "persistentVolumeClaim"
            ]
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AllowedUsersGroups",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "runAsUserRule": {
            "value": "MustRunAsNonRoot"
          },
          "runAsUserRanges": {
            "value": {
              "ranges": []
            }
          },
          "runAsGroupRule": {
            "value": "MustRunAs"
          },
          "runAsGroupRanges": {
            "value": {
              "ranges": [
                {
                  "min": 1,
                  "max": 65535
                }
              ]
            }
          },
          "supplementalGroupsRule": {
            "value": "MustRunAs"
          },
          "supplementalGroupsRanges": {
            "value": {
              "ranges": [
                {
                  "min": 1,
                  "max": 65535
                }
              ]
            }
          },
          "fsGroupRule": {
            "value": "MustRunAs"
          },
          "fsGroupRanges": {
            "value": {
              "ranges": [
                {
                  "min": 1,
                  "max": 65535
                }
              ]
            }
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AllowedSeccompProfiles",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/975ce327-682c-4f2e-aa46-b9598289b86c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "allowedProfiles": {
            "value": [
              "runtime/default",
              "docker/default"
            ]
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "42b8ef37-b724-4e24-bbc8-7a7708edfe00"
}
BuiltIn Kubernetes False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "New Zealand ISM Restricted",
    "policyType": "BuiltIn",
    "description": "This initiative includes policies that address a subset of New Zealand Information Security Manual controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nzism-initiative.",
    "metadata": {
      "version": "3.0.1",
      "category": "Regulatory Compliance"
    },
    "parameters": {
      "effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Effect for policy: Web Application Firewall (WAF) should be enabled for Azure Front Door Service",
          "description": "For more information about effects, visit https://aka.ms/policyeffects",
          "deprecated": true
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-08e6af2d-db70-460a-bfe9-d5bd474ba9d6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Adaptive network hardening recommendations should be applied on internet facing virtual machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: There should be more than one owner assigned to your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0961003e-5a0a-4549-abde-af6a37f2724d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Remote debugging should be turned off for Function Apps",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-12430be1-6cc8-4527-a9a8-e3d38f250096": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should use the specified mode for Application Gateway",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096": {
        "type": "String",
        "metadata": {
          "displayName": "WAF mode requirement for Application Gateway",
          "description": "The Prevention or Detection mode must be enabled on the Application Gateway service"
        },
        "allowedValues": [
          "Prevention",
          "Detection"
        ],
        "defaultValue": "Detection"
      },
      "effect-17k78e20-9358-41c9-923c-fb736d382a12": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Transparent Data Encryption on SQL databases should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability assessment should be enabled on SQL Managed Instance",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "listOfImageIdToInclude-1c210e94-a481-4beb-95fa-1571b434fb04": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: Optional: List of custom VM images that have supported Windows OS to add to scope additional to the images in the gallery",
          "description": "For more information on Guest Configuration, visit https://aka.ms/gcpol",
          "deprecated": true
        },
        "defaultValue": []
      },
      "effect-1f314764-cb73-4fc9-b863-8eca98ac36e9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: An Azure Active Directory administrator should be provisioned for SQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Only secure connections to your Azure Cache for Redis should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-26a828e1-e88f-464e-bbb3-c134a282b9de": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Endpoint protection solution should be installed on virtual machine scale sets",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "IncludeArcMachines-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating policy: Audit Windows machines missing any of specified members in the Administrators group",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7": {
        "type": "String",
        "metadata": {
          "displayName": "List of users that must be included in Windows VM Administrators group",
          "description": "A semicolon-separated list of users that should be included in the Administrators local group; Ex: Administrator; myUser1; myUser2"
        }
      },
      "listOfImageIdToInclude_windows-32133ab0-ee4b-4b44-98d6-042180979d50": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: Optional: List of custom VM images that have supported Windows OS to add to scope additional to the images in the gallery",
          "description": "For more information on Guest Configuration, visit https://aka.ms/gcpol",
          "deprecated": true
        },
        "defaultValue": []
      },
      "listOfImageIdToInclude_linux-32133ab0-ee4b-4b44-98d6-042180979d50": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: Optional: List of custom VM images that have supported Linux OS to add to scope additional to the images in the gallery",
          "description": "For more information on Guest Configuration, visit https://aka.ms/gcpol",
          "deprecated": true
        },
        "defaultValue": []
      },
      "effect-34c877ad-507e-4c82-993e-3452a6e0ad3c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "listOfImageIdToInclude-3be22e3b-d919-47aa-805e-8985dbeb0ad9": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: Optional: List of custom VM images that have supported Windows OS to add to scope additional to the images in the gallery",
          "description": "For more information on Guest Configuration, visit https://aka.ms/gcpol",
          "deprecated": true
        },
        "defaultValue": []
      },
      "effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "IncludeArcMachines-3d2a3320-2a72-4c67-ac5f-caa40fbee2b2": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating policy: Audit Windows machines that have extra accounts in the Administrators group",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "Members-3d2a3320-2a72-4c67-ac5f-caa40fbee2b2": {
        "type": "String",
        "metadata": {
          "displayName": "List of users that Windows VM Administrators group must only include",
          "description": "A semicolon-separated list of all the expected members of the Administrators local group; Ex: Administrator; myUser1; myUser2"
        },
        "defaultValue": "Administrator"
      },
      "effect-404c3081-a854-4457-ae30-26a93ef643f9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Secure transfer to storage accounts should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-425bea59-a659-4cbb-8d31-34499bd030b8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8": {
        "type": "String",
        "metadata": {
          "displayName": "WAF mode requirement for Azure Front Door Service",
          "description": "The Prevention or Detection mode must be enabled on the Azure Front Door service"
        },
        "allowedValues": [
          "Prevention",
          "Detection"
        ],
        "defaultValue": "Detection"
      },
      "effect-47a6b606-51aa-4496-8bb7-64b11cf66adc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Adaptive application controls for defining safe applications should be enabled on your machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-4f11b553-d42e-4e3a-89be-32ca364cad4c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: A maximum of 3 owners should be designated for your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Effect for policy: [Preview]: Storage account public access should be disallowed",
          "description": "For more information about effects, visit https://aka.ms/policyeffects",
          "deprecated": true
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "disabled"
      },
      "effect-501541f7-f7e7-4cd6-868c-4190fdad3ac9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: A vulnerability assessment solution should be enabled on your virtual machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Application Gateway",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: CORS should not allow every resource to access your Web Applications",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "IncludeArcMachines-5752e6d6-1206-46d8-8ab1-ecc2f71a8112": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating policy: Audit Windows web servers that are not using secure communication protocols",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum TLS version for Windows web servers",
          "description": "Windows web servers with lower TLS versions will be assessed as non-compliant"
        },
        "allowedValues": [
          "1.1",
          "1.2"
        ],
        "defaultValue": "1.2"
      },
      "listOfImageIdToInclude_windows-5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of custom VM images that have supported Windows OS to add to scope additional to the images in the gallery",
          "description": "For more information on Guest Configuration, visit https://aka.ms/gcpol"
        },
        "defaultValue": []
      },
      "listOfImageIdToInclude_linux-5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of custom VM images that have supported Linux OS to add to scope additional to the images in the gallery",
          "description": "For more information on Guest Configuration, visit https://aka.ms/gcpol"
        },
        "defaultValue": []
      },
      "effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with write permissions should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "IncludeArcMachines-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating policy: Audit Windows machines that have the specified members in the Administrators group",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f": {
        "type": "String",
        "metadata": {
          "displayName": "List of users that must be excluded from Windows VM Administrators group",
          "description": "A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2"
        }
      },
      "effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Deprecated accounts should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Function App should only be accessible over HTTPS",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-7796937f-307b-4598-941c-67d3a05ebfe7": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Effect for policy: Azure subscriptions should have a log profile for Activity Log",
          "description": "For more information about effects, visit https://aka.ms/policyeffects",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "listOfResourceTypes-7f89b1eb-583c-429a-8828-af049802c1d9": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: List of resource types that should have resource logs enabled",
          "strongType": "resourceTypes",
          "deprecated": true
        },
        "defaultValue": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ]
      },
      "effect-86b3d65f-7626-441e-b690-81a8b71cff60": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: System updates should be installed on your machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Latest TLS version should be used in your API App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-9297c21d-2ed6-4474-b48f-163f75654ce3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled accounts with write permissions on your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-9b597639-28e4-48eb-b506-56b05d366257": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Effect for policy: Microsoft IaaSAntimalware extension should be deployed on Windows servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "effect-a4af4a39-4135-47fb-b175-47fbdf85311d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application should only be accessible over HTTPS",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-a7aca53f-2ed4-4466-a25e-0b45ade68efd": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure DDoS Protection Standard should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-aa633080-8b72-40c4-a2d7-d00c03e80bed": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled on accounts with owner permissions on your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Advanced data security should be enabled on your SQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Advanced data security should be enabled on SQL Managed Instance",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-af6cd1bd-1635-48cb-bde7-5b15693900b9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Monitor missing Endpoint Protection in Azure Security Center",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b02aacc0-b073-424e-8298-42b22829ee0a": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Effect for policy: Activity log should be retained for at least one year",
          "description": "For more information about effects, visit https://aka.ms/policyeffects",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Management ports of virtual machines should be protected with just-in-time network access control",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Service Fabric clusters should only use Azure Active Directory for client authentication",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: API App should only be accessible over HTTPS",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "IncludeArcMachines-bed48b13-6647-468e-aa2f-1af1d3f4dd40": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Include Arc-connected servers when evaluating policy: Audit Windows machines on which Windows Defender Exploit Guard is not enabled",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine",
          "deprecated": true
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Compliance state to report for Windows machines on which Windows Defender Exploit Guard is not available",
          "description": "Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value to 'Non-Compliant' shows machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) as non-compliant. Setting this value to 'Compliant' shows these machines as compliant.",
          "deprecated": true
        },
        "allowedValues": [
          "Compliant",
          "Non-Compliant"
        ],
        "defaultValue": "Non-Compliant"
      },
      "effect-bed48b13-6647-468e-aa2f-1af1d3f4dd40": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Effect for policy: Audit Windows machines on which Windows Defender Exploit Guard is not enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Remote debugging should be turned off for Web Applications",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities in security configuration on your machines should be remediated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e3576e28-8b17-4677-84c3-db2990658d64": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: MFA should be enabled on accounts with read permissions on your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "listOfAllowedLocations-e56962a6-4747-49cd-b67b-bf8b01975c4c": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: Allowed locations for resources (deployments to other locations will be denied)",
          "description": "Locations for NZISM Restricted are New Zealand North, Australia East, Australia Southeast, Australia Central and Australia Central 2.",
          "strongType": "location",
          "deprecated": true
        },
        "allowedValues": [
          "australiaeast",
          "australiasoutheast",
          "australiacentral",
          "australiacentral2"
        ],
        "defaultValue": []
      },
      "listOfAllowedLocations-e765b5de-1225-4ba3-bd56-1ac6695af988": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: Allowed locations for resource groups (deployments to other locations will be denied)",
          "description": "Locations for NZISM Restricted are New Zealand North, Australia East, Australia Southeast, Australia Central and Australia Central 2.",
          "strongType": "location",
          "deprecated": true
        },
        "allowedValues": [
          "australiaeast",
          "australiasoutheast",
          "australiacentral",
          "australiacentral2"
        ],
        "defaultValue": []
      },
      "effect-e8cbc669-f12d-49eb-93e7-9273119e9933": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities in container security configurations should be remediated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Remote debugging should be turned off for API Apps",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "IncludeArcMachines-ea53dbee-c6c9-4f0e-9f9e-de0039b78023": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating policy: Audit Linux machines that allow remote connections from accounts without passwords",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect-ea53dbee-c6c9-4f0e-9f9e-de0039b78023": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Audit Linux machines that allow remote connections from accounts without passwords",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Deprecated accounts with owner permissions should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerability assessment should be enabled on your SQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Latest TLS version should be used in your Web App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "IncludeArcMachines-f2143251-70de-4e81-87a8-36cee5a2f29d": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating policy: Windows machines should meet requirements for 'Security Settings - Account Policies'",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "EnforcePasswordHistory-f2143251-70de-4e81-87a8-36cee5a2f29d": {
        "type": "String",
        "metadata": {
          "displayName": "Enforce password history for Windows VM local accounts",
          "description": "Specifies limits on password reuse - how many times a new password must be created for a user account before the password can be repeated"
        },
        "defaultValue": "24"
      },
      "MaximumPasswordAge-f2143251-70de-4e81-87a8-36cee5a2f29d": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum password age for Windows VM local accounts",
          "description": "Specifies the maximum number of days that may elapse before a user account password must be changed; the format of the value is two integers separated by a comma, denoting an inclusive range"
        },
        "defaultValue": "1,70"
      },
      "MinimumPasswordAge-f2143251-70de-4e81-87a8-36cee5a2f29d": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password age for Windows VM local accounts",
          "description": "Specifies the minimum number of days that must elapse before a user account password can be changed"
        },
        "defaultValue": "1"
      },
      "MinimumPasswordLength-f2143251-70de-4e81-87a8-36cee5a2f29d": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password length for Windows VM local accounts",
          "description": "Specifies the minimum number of characters that a user account password may contain"
        },
        "defaultValue": "14"
      },
      "PasswordMustMeetComplexityRequirements-f2143251-70de-4e81-87a8-36cee5a2f29d": {
        "type": "String",
        "metadata": {
          "displayName": "Password must meet complexity requirements for Windows VM local accounts",
          "description": "Specifies whether a user account password must be complex; if required, a complex password must not contain part of the user's account name or full name; be at least 6 characters long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters"
        },
        "defaultValue": "1"
      },
      "effect-f2143251-70de-4e81-87a8-36cee5a2f29d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Windows machines should meet requirements for 'Security Settings - Account Policies'",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Log Analytics workspace ID for VM agent reporting",
          "description": "ID (GUID) of the Log Analytics workspace where VMs agents should report",
          "deprecated": true
        },
        "defaultValue": ""
      },
      "effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Internet-facing virtual machines should be protected with network security groups",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "IncludeArcMachines-f6ec09a3-78bf-4f8f-99dc-6c77182d0f99": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating policy: Audit Linux machines that have accounts without passwords",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect-f6ec09a3-78bf-4f8f-99dc-6c77182d0f99": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Audit Linux machines that have accounts without passwords",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f8456c1c-aa66-4dfb-861a-25d127b775c9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: External accounts with owner permissions should be removed from your subscription",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f9d614c5-c173-4d56-95a7-b4437057d193": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Latest TLS version should be used in your Function App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-fc5e4038-4584-4632-8c85-c0448d374b2c": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Effect for policy: [Preview]: All Internet traffic should be routed via your deployed Azure Firewall",
          "description": "For more information about effects, visit https://aka.ms/policyeffects",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "effect-feedbf84-6b99-488c-acc2-71c829aa5ffc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities on your SQL databases should be remediated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-d62cfe2b-3ab0-4d41-980d-76803b58ca65": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Log Analytics agent health issues should be resolved on your machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-a1817ec0-a368-432a-8057-8371e17ac6ee": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-044985bb-afe1-42cd-8a36-9d5d42424537": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account keys should not be expired",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1ee56206-5dd1-42ab-b02d-8aae8b1634ce": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure API for FHIR should use private link",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2913021d-f2fd-4f3d-b958-22354e2bdbcb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for App Service should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Azure SQL Database servers should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for container registries should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0e6763cc-5078-4e64-889d-ff4d9a839047": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Key Vault should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-523b5cd1-3e23-492f-a539-13118b6d1e3a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Kubernetes should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for servers should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-6581d072-105e-4418-827f-bd446d56421b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for SQL servers on machines should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Defender for Storage should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Audit usage of custom RBAC rules",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Auditing on SQL server should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9": {
        "type": "String",
        "metadata": {
          "displayName": "Required auditing setting for SQL servers"
        },
        "allowedValues": [
          "enabled",
          "disabled"
        ],
        "defaultValue": "enabled"
      },
      "effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Diagnostic logs in App Services should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-057ef27e-665e-4328-8ea3-04b3122bd9fb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Diagnostic logs in Azure Data Lake Store should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for resource logs"
        },
        "defaultValue": "365"
      },
      "effect-f9be5368-9bf5-4b84-9e0a-7850da98bb46": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Diagnostic logs in Azure Stream Analytics should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-428256e6-1fac-4f48-a757-df34c2b3336d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Diagnostic logs in Batch accounts should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-c95c74d9-38fe-4f0d-af86-0c7d626a315c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Diagnostic logs in Data Lake Analytics should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-83a214f7-d01a-484b-91a9-ed54470c9a6a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Diagnostic logs in Event Hub should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-383856f8-de7f-44a2-81fc-e5135b5c2aa4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Diagnostic logs in IoT Hub should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-cf820ca0-f99e-4f3e-84fb-66e913812d21": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Diagnostic logs in Key Vault should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-34f95f76-5386-4de7-b824-0d8478470c9d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Diagnostic logs in Logic Apps should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-b4330a05-a843-4bc8-bf9a-cacce50c67f4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Diagnostic logs in Search services should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-f8d36e2f-389b-4ee4-898d-21aeb69a0f45": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Diagnostic logs in Service Bus should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7c1b1214-f927-48bf-8882-84f0af6588b1": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Diagnostic logs in Virtual Machine Scale Sets should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Include AKS clusters when auditing if virtual machine scale set diagnostic logs are enabled",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": false
      },
      "effect-123a3936-f020-408a-ba0c-47873faf1534": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Allowlist rules in your adaptive application control policy should be updated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-c4d441f8-f9d9-4a9e-9cef-e82117cb3eef": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Managed identity should be used in your API App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0da106f2-4ca3-48e8-bc85-c638fe6aea8f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Managed identity should be used in your Function App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-2b9ad585-36bc-4615-b300-fd4435808332": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Managed identity should be used in your Web App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-5f0f936f-2f01-4bf5-b6be-d423792fa562": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Vulnerabilities in Azure Container Registry images should be remediated",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-6ba6d016-e7c3-4842-b8f2-4992ebc0d72d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: SQL servers on machines should have vulnerability findings resolved",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-22730e10-96f6-4aac-ad84-9383d35b5917": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Management ports should be closed on your virtual machines",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: CORS should not allow every resource to access your API App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: CORS should not allow every resource to access your Function Apps",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "IncludeArcMachines-630c64f9-8b6b-4c64-b511-6544ceff6fd6": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating policy: Audit Linux machines that are not using SSH key for authentication",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect-630c64f9-8b6b-4c64-b511-6544ceff6fd6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Audit Linux machines that are not using SSH key for authentication",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cosmos DB account should use customer-managed keys to encrypt data at rest",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-83cef61d-dbd1-4b20-a4fc-5fbc7da10833": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Bring your own key data protection should be enabled for MySQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-18adea5e-f416-4d0f-8aa8-d24321e3e274": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Bring your own key data protection should be enabled for PostgreSQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should enable data encryption with customer-managed key",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should be encrypted with a customer-managed key (CMK)",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-048248b0-55cd-46da-b1ff-39efd52db260": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: SQL managed instances should use customer-managed keys to encrypt data at rest",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: SQL servers should use customer-managed keys to encrypt data at rest",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-6fac406b-40ca-413b-bf8e-0bf964659c25": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account should use customer-managed key for encryption",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cosmos DB accounts should have firewall rules",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-e71308d3-144b-4262-b144-efdc3cc90517": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Subnets should be associated with a Network Security Group",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-bd352bd5-2853-4985-bf0d-73806b4a5744": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: IP Forwarding on your virtual machine should be disabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-9daedab3-fb2d-461e-b861-71790eead4f6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: All network ports should be restricted on network security groups associated to your virtual machine",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key vault should have purge protection enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key vault should have soft delete enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-88999f4c-376a-45c8-bcb3-4058f713cf39": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the API app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Function app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-496223c3-ad65-4ecd-878a-bae78737e9ed": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Web app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the API app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7261b898-8a84-4db8-9e04-18527132abb3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the WEB app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-74c3584d-afae-46f7-a20a-6f8adba71a16": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the API app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7238174a-fd10-4ef0-817e-fc820a951d73": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Function app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7008174a-fd10-4ef0-817e-fc820a951d73": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Web app",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: API Management services should use a virtual network",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b": {
        "type": "Array",
        "metadata": {
          "displayName": "API Management SKUs that should use a virtual network",
          "description": "List of API Management SKUs against which this policy will be evaluated"
        },
        "allowedValues": [
          "Developer",
          "Basic",
          "Standard",
          "Premium",
          "Consumption"
        ],
        "defaultValue": [
          "Developer",
          "Premium"
        ]
      },
      "effect-ca610c1d-041c-4332-9d88-7ed3094967c7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: App Configuration should use a private link",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7d092e0a-7acd-40d2-a975-dca21cae48c4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cache for Redis should reside within a virtual network",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-9830b652-8523-49cc-b1b3-e17dce1127ca": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Event Grid domains should use private links",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-4b90e17e-8448-49db-875e-bd83fb6f804f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Event Grid topics should use private links",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-c39ba22d-4428-4149-b981-70acb31fc383": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Key Vault Managed HSM should have purge protection enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-40cec1dd-a100-4920-b15b-3024fe8901ab": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Machine Learning workspaces should use private link",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-53503636-bcc9-4748-9663-5348217f160f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure SignalR Service should use private links",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-af35e2a4-ef96-44e7-a9ae-853dd97032c4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Spring Cloud should use network injection",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Spring Cloud SKUs that should use network injection",
          "description": "List of Azure Spring Cloud SKUs against which this policy will be evaluated"
        },
        "allowedValues": [
          "Standard"
        ],
        "defaultValue": [
          "Standard"
        ]
      },
      "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access should be disabled for Cognitive Services accounts",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-037eea7a-bd0a-46c5-9a66-03aea78705d3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should restrict network access",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d0793b48-0edc-4296-a390-4c75d1bdfd71": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should not allow unrestricted network access",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-e8eef0a8-67cf-4eb4-9386-14b0e78733d4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should use private links",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-7698e800-9299-47a6-b3b6-5a0fee576eed": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Private endpoint connections on Azure SQL Database should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-009a0c92-f5b4-4776-9b66-4ed2b4775563": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: \tPrivate endpoint connections on Batch accounts should be enabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0a1302fb-a631-4106-9753-f3d494733990": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Private endpoint should be enabled for MariaDB servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-7595c971-233d-4bcf-bd18-596129188c49": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Private endpoint should be enabled for MySQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-0564d078-92f5-4f97-8398-b9f58a51f70b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Private endpoint should be enabled for PostgreSQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-1b8ca024-1d5c-4dec-8995-b1a932b41780": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access on Azure SQL Database should be disabled",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-fdccbe47-f3e3-4213-ad5d-ea459b2fa077": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access should be disabled for MariaDB servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d9844e8a-1437-4aeb-a32c-0c992f056095": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access should be disabled for MySQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-b52376f7-9612-48a1-81cd-1ffe4b61032c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access should be disabled for PostgreSQL servers",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access using virtual network rules",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-6edd7eda-6dd8-40f7-810d-67160c639cd9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account should use a private link connection",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-2154edb9-244f-4741-9970-660785bccdaa": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: VM Image Builder templates should use private link",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "effect-9a1b8c48-453a-4044-86c3-d8bfd823e4f5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: FTPS only should be required in your API App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-399b2637-a50f-4f95-96f8-3a145476eb15": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: FTPS only should be required in your Function App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "effect-4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: FTPS should be required in your Web App",
          "description": "For more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_ISM-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-08e6af2d-db70-460a-bfe9-d5bd474ba9d6')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "0961003e-5a0a-4549-abde-af6a37f2724d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0961003e-5a0a-4549-abde-af6a37f2724d')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "12430be1-6cc8-4527-a9a8-e3d38f250096",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-12430be1-6cc8-4527-a9a8-e3d38f250096')]"
          },
          "modeRequirement": {
            "value": "[parameters('modeRequirement-12430be1-6cc8-4527-a9a8-e3d38f250096')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_NS-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "17k78e20-9358-41c9-923c-fb736d382a12",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-17k78e20-9358-41c9-923c-fb736d382a12')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_ISM-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1f314764-cb73-4fc9-b863-8eca98ac36e9')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_PS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "26a828e1-e88f-464e-bbb3-c134a282b9de",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-26a828e1-e88f-464e-bbb3-c134a282b9de')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7')]"
          },
          "MembersToInclude": {
            "value": "[parameters('MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "parameters": {},
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-34c877ad-507e-4c82-993e-3452a6e0ad3c')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {},
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_ISM-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "3d2a3320-2a72-4c67-ac5f-caa40fbee2b2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3d2a3320-2a72-4c67-ac5f-caa40fbee2b2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines-3d2a3320-2a72-4c67-ac5f-caa40fbee2b2')]"
          },
          "Members": {
            "value": "[parameters('Members-3d2a3320-2a72-4c67-ac5f-caa40fbee2b2')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "404c3081-a854-4457-ae30-26a93ef643f9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-404c3081-a854-4457-ae30-26a93ef643f9')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_PS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "425bea59-a659-4cbb-8d31-34499bd030b8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-425bea59-a659-4cbb-8d31-34499bd030b8')]"
          },
          "modeRequirement": {
            "value": "[parameters('modeRequirement-425bea59-a659-4cbb-8d31-34499bd030b8')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_NS-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-47a6b606-51aa-4496-8bb7-64b11cf66adc')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4f11b553-d42e-4e3a-89be-32ca364cad4c')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-501541f7-f7e7-4cd6-868c-4190fdad3ac9')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_ISM-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_NS-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines-5752e6d6-1206-46d8-8ab1-ecc2f71a8112')]"
          },
          "MinimumTLSVersion": {
            "value": "[parameters('MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138",
        "parameters": {
          "listOfImageIdToInclude_windows": {
            "value": "[parameters('listOfImageIdToInclude_windows-5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138')]"
          },
          "listOfImageIdToInclude_linux": {
            "value": "[parameters('listOfImageIdToInclude_linux-5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f')]"
          },
          "MembersToExclude": {
            "value": "[parameters('MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-86b3d65f-7626-441e-b690-81a8b71cff60')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_PRS-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "9297c21d-2ed6-4474-b48f-163f75654ce3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9297c21d-2ed6-4474-b48f-163f75654ce3')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "a4af4a39-4135-47fb-b175-47fbdf85311d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a4af4a39-4135-47fb-b175-47fbdf85311d')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a7aca53f-2ed4-4466-a25e-0b45ade68efd')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_NS-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-aa633080-8b72-40c4-a2d7-d00c03e80bed')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_DM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_DM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-af6cd1bd-1635-48cb-bde7-5b15693900b9')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_PRS-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_ISM-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "e3576e28-8b17-4677-84c3-db2990658d64",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e3576e28-8b17-4677-84c3-db2990658d64')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "e8cbc669-f12d-49eb-93e7-9273119e9933",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e8cbc669-f12d-49eb-93e7-9273119e9933')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_ISM-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines-ea53dbee-c6c9-4f0e-9f9e-de0039b78023')]"
          },
          "effect": {
            "value": "[parameters('effect-ea53dbee-c6c9-4f0e-9f9e-de0039b78023')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-13"
        ]
      },
      {
        "policyDefinitionReferenceId": "ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_ISM-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "f2143251-70de-4e81-87a8-36cee5a2f29d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f2143251-70de-4e81-87a8-36cee5a2f29d",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines-f2143251-70de-4e81-87a8-36cee5a2f29d')]"
          },
          "EnforcePasswordHistory": {
            "value": "[parameters('EnforcePasswordHistory-f2143251-70de-4e81-87a8-36cee5a2f29d')]"
          },
          "MaximumPasswordAge": {
            "value": "[parameters('MaximumPasswordAge-f2143251-70de-4e81-87a8-36cee5a2f29d')]"
          },
          "MinimumPasswordAge": {
            "value": "[parameters('MinimumPasswordAge-f2143251-70de-4e81-87a8-36cee5a2f29d')]"
          },
          "MinimumPasswordLength": {
            "value": "[parameters('MinimumPasswordLength-f2143251-70de-4e81-87a8-36cee5a2f29d')]"
          },
          "PasswordMustMeetComplexityRequirements": {
            "value": "[parameters('PasswordMustMeetComplexityRequirements-f2143251-70de-4e81-87a8-36cee5a2f29d')]"
          },
          "effect": {
            "value": "[parameters('effect-f2143251-70de-4e81-87a8-36cee5a2f29d')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines-f6ec09a3-78bf-4f8f-99dc-6c77182d0f99')]"
          },
          "effect": {
            "value": "[parameters('effect-f6ec09a3-78bf-4f8f-99dc-6c77182d0f99')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f8456c1c-aa66-4dfb-861a-25d127b775c9')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "f9d614c5-c173-4d56-95a7-b4437057d193",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f9d614c5-c173-4d56-95a7-b4437057d193')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-feedbf84-6b99-488c-acc2-71c829aa5ffc')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_ISM-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "parameters": {},
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_ISM-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "d62cfe2b-3ab0-4d41-980d-76803b58ca65",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d62cfe2b-3ab0-4d41-980d-76803b58ca65')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "a1817ec0-a368-432a-8057-8371e17ac6ee",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a1817ec0-a368-432a-8057-8371e17ac6ee')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "044985bb-afe1-42cd-8a36-9d5d42424537",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-044985bb-afe1-42cd-8a36-9d5d42424537')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "1ee56206-5dd1-42ab-b02d-8aae8b1634ce",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1ee56206-5dd1-42ab-b02d-8aae8b1634ce",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1ee56206-5dd1-42ab-b02d-8aae8b1634ce')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2913021d-f2fd-4f3d-b958-22354e2bdbcb')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e6763cc-5078-4e64-889d-ff4d9a839047",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0e6763cc-5078-4e64-889d-ff4d9a839047')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-523b5cd1-3e23-492f-a539-13118b6d1e3a')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "6581d072-105e-4418-827f-bd446d56421b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6581d072-105e-4418-827f-bd446d56421b')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9')]"
          },
          "setting": {
            "value": "[parameters('setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-057ef27e-665e-4328-8ea3-04b3122bd9fb')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f9be5368-9bf5-4b84-9e0a-7850da98bb46')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "428256e6-1fac-4f48-a757-df34c2b3336d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-428256e6-1fac-4f48-a757-df34c2b3336d')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c95c74d9-38fe-4f0d-af86-0c7d626a315c')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-83a214f7-d01a-484b-91a9-ed54470c9a6a')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-383856f8-de7f-44a2-81fc-e5135b5c2aa4')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-cf820ca0-f99e-4f3e-84fb-66e913812d21')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "34f95f76-5386-4de7-b824-0d8478470c9d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-34f95f76-5386-4de7-b824-0d8478470c9d')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b4330a05-a843-4bc8-bf9a-cacce50c67f4')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f8d36e2f-389b-4ee4-898d-21aeb69a0f45')]"
          },
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "7c1b1214-f927-48bf-8882-84f0af6588b1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7c1b1214-f927-48bf-8882-84f0af6588b1')]"
          },
          "includeAKSClusters": {
            "value": "[parameters('includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "123a3936-f020-408a-ba0c-47873faf1534",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-123a3936-f020-408a-ba0c-47873faf1534')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c4d441f8-f9d9-4a9e-9cef-e82117cb3eef')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0da106f2-4ca3-48e8-bc85-c638fe6aea8f')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "2b9ad585-36bc-4615-b300-fd4435808332",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2b9ad585-36bc-4615-b300-fd4435808332')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "5f0f936f-2f01-4bf5-b6be-d423792fa562",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5f0f936f-2f01-4bf5-b6be-d423792fa562')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_ISM-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "6ba6d016-e7c3-4842-b8f2-4992ebc0d72d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6ba6d016-e7c3-4842-b8f2-4992ebc0d72d')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_ISM-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "22730e10-96f6-4aac-ad84-9383d35b5917",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-22730e10-96f6-4aac-ad84-9383d35b5917')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "630c64f9-8b6b-4c64-b511-6544ceff6fd6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines-630c64f9-8b6b-4c64-b511-6544ceff6fd6')]"
          },
          "effect": {
            "value": "[parameters('effect-630c64f9-8b6b-4c64-b511-6544ceff6fd6')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "1f905d99-2ab7-462c-a6b0-f709acca6c8f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ba769a63-b8cc-4b2d-abf6-ac33c7204be8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "83cef61d-dbd1-4b20-a4fc-5fbc7da10833",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-83cef61d-dbd1-4b20-a4fc-5fbc7da10833')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "18adea5e-f416-4d0f-8aa8-d24321e3e274",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-18adea5e-f416-4d0f-8aa8-d24321e3e274')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-14",
          "NZISM_Security_Benchmark_v1.1_CR-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "67121cc7-ff39-4ab8-b7e3-95b84dab487d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "048248b0-55cd-46da-b1ff-39efd52db260",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-048248b0-55cd-46da-b1ff-39efd52db260')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "6fac406b-40ca-413b-bf8e-0bf964659c25",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6fac406b-40ca-413b-bf8e-0bf964659c25')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "e71308d3-144b-4262-b144-efdc3cc90517",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e71308d3-144b-4262-b144-efdc3cc90517')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "bd352bd5-2853-4985-bf0d-73806b4a5744",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-bd352bd5-2853-4985-bf0d-73806b4a5744')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-14"
        ]
      },
      {
        "policyDefinitionReferenceId": "9daedab3-fb2d-461e-b861-71790eead4f6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9daedab3-fb2d-461e-b861-71790eead4f6')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "88999f4c-376a-45c8-bcb3-4058f713cf39",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-88999f4c-376a-45c8-bcb3-4058f713cf39')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "496223c3-ad65-4ecd-878a-bae78737e9ed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-496223c3-ad65-4ecd-878a-bae78737e9ed')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "7261b898-8a84-4db8-9e04-18527132abb3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7261b898-8a84-4db8-9e04-18527132abb3')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "74c3584d-afae-46f7-a20a-6f8adba71a16",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-74c3584d-afae-46f7-a20a-6f8adba71a16')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "7238174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7238174a-fd10-4ef0-817e-fc820a951d73')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "7008174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7008174a-fd10-4ef0-817e-fc820a951d73')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_SS-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ef619a2c-cc4d-4d03-b2ba-8c94a834d85b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b')]"
          },
          "evaluatedSkuNames": {
            "value": "[parameters('evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ca610c1d-041c-4332-9d88-7ed3094967c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ca610c1d-041c-4332-9d88-7ed3094967c7')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "7d092e0a-7acd-40d2-a975-dca21cae48c4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7d092e0a-7acd-40d2-a975-dca21cae48c4')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "9830b652-8523-49cc-b1b3-e17dce1127ca",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9830b652-8523-49cc-b1b3-e17dce1127ca')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "4b90e17e-8448-49db-875e-bd83fb6f804f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4b90e17e-8448-49db-875e-bd83fb6f804f')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "c39ba22d-4428-4149-b981-70acb31fc383",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c39ba22d-4428-4149-b981-70acb31fc383')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "40cec1dd-a100-4920-b15b-3024fe8901ab",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-40cec1dd-a100-4920-b15b-3024fe8901ab')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "53503636-bcc9-4748-9663-5348217f160f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-53503636-bcc9-4748-9663-5348217f160f')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "af35e2a4-ef96-44e7-a9ae-853dd97032c4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-af35e2a4-ef96-44e7-a9ae-853dd97032c4')]"
          },
          "evaluatedSkuNames": {
            "value": "[parameters('evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "037eea7a-bd0a-46c5-9a66-03aea78705d3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-037eea7a-bd0a-46c5-9a66-03aea78705d3')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "d0793b48-0edc-4296-a390-4c75d1bdfd71",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d0793b48-0edc-4296-a390-4c75d1bdfd71')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "e8eef0a8-67cf-4eb4-9386-14b0e78733d4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e8eef0a8-67cf-4eb4-9386-14b0e78733d4')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "7698e800-9299-47a6-b3b6-5a0fee576eed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7698e800-9299-47a6-b3b6-5a0fee576eed')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "009a0c92-f5b4-4776-9b66-4ed2b4775563",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/009a0c92-f5b4-4776-9b66-4ed2b4775563",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-009a0c92-f5b4-4776-9b66-4ed2b4775563')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "0a1302fb-a631-4106-9753-f3d494733990",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0a1302fb-a631-4106-9753-f3d494733990')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "7595c971-233d-4bcf-bd18-596129188c49",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7595c971-233d-4bcf-bd18-596129188c49')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "0564d078-92f5-4f97-8398-b9f58a51f70b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0564d078-92f5-4f97-8398-b9f58a51f70b')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "1b8ca024-1d5c-4dec-8995-b1a932b41780",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1b8ca024-1d5c-4dec-8995-b1a932b41780')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fdccbe47-f3e3-4213-ad5d-ea459b2fa077')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "d9844e8a-1437-4aeb-a32c-0c992f056095",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d9844e8a-1437-4aeb-a32c-0c992f056095')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "b52376f7-9612-48a1-81cd-1ffe4b61032c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b52376f7-9612-48a1-81cd-1ffe4b61032c')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_GS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "6edd7eda-6dd8-40f7-810d-67160c639cd9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-6edd7eda-6dd8-40f7-810d-67160c639cd9')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "2154edb9-244f-4741-9970-660785bccdaa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2154edb9-244f-4741-9970-660785bccdaa')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_INF-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-9a1b8c48-453a-4044-86c3-d8bfd823e4f5')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "399b2637-a50f-4f95-96f8-3a145476eb15",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-399b2637-a50f-4f95-96f8-3a145476eb15')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b')]"
          }
        },
        "groupNames": [
          "NZISM_Security_Benchmark_v1.1_CR-7"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-10"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-11"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-12"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-13"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-14"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-15"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-16"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-17"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-18"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-19"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-20"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-6"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-7"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-8"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AC-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AC-9"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AIS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AIS-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_AIS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_AIS-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CR-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CR-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CR-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CR-10"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CR-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CR-11"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CR-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CR-12"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CR-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CR-13"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CR-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CR-14"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CR-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CR-15"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CR-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CR-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CR-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CR-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CR-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CR-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CR-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CR-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CR-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CR-6"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CR-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CR-7"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CR-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CR-8"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CR-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CR-9"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CSD-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CSD-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CSD-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CSD-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CSD-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CSD-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CSD-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CSD-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CSD-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CSD-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CSD-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CSD-6"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_CSD-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_CSD-7"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_DM-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_DM-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_DM-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_DM-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_DM-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_DM-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_DM-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_DM-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_DM-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_DM-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_DM-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_DM-6"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ES-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ES-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ES-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ES-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ESS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ESS-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ESS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ESS-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ESS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ESS-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ESS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ESS-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ESS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ESS-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_GS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_GS-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_GS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_GS-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_GS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_GS-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_GS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_GS-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_GS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_GS-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_GS-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_GS-6"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_GS-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_GS-7"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_GS-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_GS-8"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_GS-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_GS-9"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_INF-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_INF-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_INF-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_INF-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_INF-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_INF-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_INF-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_INF-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_INF-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_INF-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_INF-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_INF-6"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_INF-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_INF-7"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_INF-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_INF-8"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_INF-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_INF-9"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISD-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISD-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISD-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISD-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISD-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISD-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISD-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISD-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISD-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISD-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISD-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISD-6"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISD-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISD-7"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISD-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISD-8"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISG-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISG-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISG-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISG-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISG-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISG-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISG-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISG-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISG-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISG-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISGV-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISGV-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISGV-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISGV-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISGV-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISGV-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISI-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISI-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISI-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISI-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISI-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISI-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISM-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISM-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISM-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISM-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISM-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISM-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISM-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISM-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISM-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISM-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISM-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISM-6"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_ISM-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_ISM-7"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_MDD-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_MDD-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_MDD-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_MDD-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_MDD-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_MDD-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_MDD-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_MDD-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_MDD-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_MDD-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_MDD-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_MDD-6"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_NS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_NS-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_NS-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_NS-10"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_NS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_NS-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_NS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_NS-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_NS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_NS-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_NS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_NS-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_NS-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_NS-6"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_NS-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_NS-7"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_NS-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_NS-8"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_NS-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_NS-9"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PRS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PRS-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PRS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PRS-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PRS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PRS-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PRS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PRS-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PRS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PRS-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PRS-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PRS-6"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PRS-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PRS-7"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PRS-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PRS-8"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PS-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PS-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PS-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PS-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PS-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PS-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PS-6"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PSS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PSS-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PSS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PSS-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PSS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PSS-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PSS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PSS-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_PSS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_PSS-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_SCA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_SCA-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_SCA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_SCA-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_SCA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_SCA-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_SCA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_SCA-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_SCA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_SCA-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_SS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_SS-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_SS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_SS-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_SS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_SS-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_SS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_SS-4"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_SS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_SS-5"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_SS-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_SS-6"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_SS-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_SS-7"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_SS-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_SS-8"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_SS-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_SS-9"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_WO-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_WO-1"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_WO-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_WO-2"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_WO-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_WO-3"
      },
      {
        "name": "NZISM_Security_Benchmark_v1.1_WO-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NZISM_Security_Benchmark_v1.1_WO-4"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "d1a462af-7e6d-4901-98ac-61570b4ed22a"
}
BuiltIn Regulatory Compliance False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "NIST SP 800-53 Rev. 4",
    "policyType": "BuiltIn",
    "description": "This initiative includes policies that address a subset of NIST SP 800-53 Rev. 4 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r4-initiative.",
    "metadata": {
      "version": "5.1.0",
      "category": "Regulatory Compliance"
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc-connected servers when evaluating guest configuration policies",
          "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine; for more information, visit https://aka.ms/policy-pricing"
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40": {
        "type": "String",
        "metadata": {
          "displayName": "Status if Windows Defender is not available on machine",
          "description": "Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value to 'Non-Compliant' shows machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) as non-compliant. Setting this value to 'Compliant' shows these machines as compliant."
        },
        "allowedValues": [
          "Compliant",
          "Non-Compliant"
        ],
        "defaultValue": "Compliant"
      },
      "MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum TLS version for Windows web servers",
          "description": "Windows web servers with lower TLS versions will be assessed as non-compliant"
        },
        "allowedValues": [
          "1.1",
          "1.2"
        ],
        "defaultValue": "1.2"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention period (days) for resource logs"
        },
        "defaultValue": "365"
      },
      "effect-febd0533-8e55-448f-b837-bd0e06f16469": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed images",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces excluded from evaluation of Kubernetes cluster policies in this initiative",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation"
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes namespaces included for evaluation of Kubernetes cluster policies in this initiative",
          "description": "List of Kubernetes namespaces to (only) include for policy evaluation; an empty list will result in policies evaluated on all resources in all namespaces"
        },
        "defaultValue": []
      },
      "labelSelector": {
        "type": "Object",
        "metadata": {
          "displayName": "Kubernetes label selector for resources included for evaluation of Kubernetes cluster policies in this initiative",
          "description": "Label query to select Kubernetes resources to include for policy evaluation; an empty label selector will result in policies evaluated on all Kubernetes resources"
        },
        "defaultValue": {}
      },
      "allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469": {
        "type": "String",
        "metadata": {
          "displayName": "Allowed container images for Kubernetes clusters",
          "description": "Regular expression used to match allowed container images in a Kubernetes cluster; Ex: allow any Azure Container Registry image by matching partial path: ^.+azurecr.io/.+$"
        },
        "defaultValue": "^(.+){0}$"
      },
      "effect-95edb821-ddaf-4404-9732-666045e056b4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster should not allow privileged containers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedContainers-95edb821-ddaf-4404-9732-666045e056b4": {
        "type": "Array",
        "metadata": {
          "displayName": "Kubernetes containers excluded from evaluation of policy: Kubernetes cluster should not allow privileged containers",
          "description": "The list of InitContainers and Containers to exclude from policy evaluation. The list should use the container name. Use an empty list to apply this policy to all containers in all namespaces."
        },
        "defaultValue": []
      },
      "effect-440b515e-a580-421e-abeb-b159a61ddcbc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only listen on allowed ports",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedContainerPortsList-440b515e-a580-421e-abeb-b159a61ddcbc": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed listener ports for Kubernetes cluster containers",
          "description": "List of container ports on which Kubernetes cluster containers are allowed to listen"
        },
        "defaultValue": []
      },
      "effect-233a2a17-77ca-4fb1-9b6b-69223d272a44": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster services should listen only on allowed ports",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedServicePortsList-233a2a17-77ca-4fb1-9b6b-69223d272a44": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed listener ports for Kubernetes cluster services",
          "description": "The list of ports on which Kubernetes cluster services are allowed to listen"
        },
        "defaultValue": []
      },
      "effect-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum allowed CPU units for containers in Kubernetes clusters",
          "description": "Ex: 200m; for more information, visit https://aka.ms/k8s-policy-pod-limits"
        },
        "defaultValue": "0"
      },
      "memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum allowed memory (bytes) for a container in Kubernetes clusters",
          "description": "Ex: 1Gi; for more information, visit https://aka.ms/k8s-policy-pod-limits"
        },
        "defaultValue": "0"
      },
      "effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pods and containers should only run with approved user and group IDs",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Run as user rule for Kubernetes containers",
          "description": "The 'RunAsUser' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MustRunAsNonRoot",
          "RunAsAny"
        ],
        "defaultValue": "MustRunAsNonRoot"
      },
      "runAsUserRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed user ID ranges for Kubernetes containers",
          "description": "User ID ranges that are allowed for containers to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Run as group rule for Kubernetes containers",
          "description": "The 'RunAsGroup' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "runAsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed group ID ranges for Kubernetes containers",
          "description": "Group ID ranges that are allowed for containers to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "Supplemental group rule for Kubernetes containers",
          "description": "The 'SupplementalGroups' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "supplementalGroupsRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed supplemental group ID ranges for Kubernetes containers",
          "description": "Supplemental group ID ranges that are allowed for containers to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "String",
        "metadata": {
          "displayName": "File system group rule for Kubernetes containers",
          "description": "The 'FSGroup' rule that containers are allowed to run with; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "fsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed file system group ID ranges for Kubernetes cluster pods",
          "description": "File system group ranges that are allowed for pods to use; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "ranges": []
        }
      },
      "effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes clusters should not allow container privilege escalation",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should not share host process ID or host IPC namespace",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-df49d893-a74c-421d-bc95-c663042e5b80": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should run with a read only root file system",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes clusters should be accessible only over HTTPS",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed capabilities",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "Array",
        "metadata": {
          "displayName": "List of capabilities that are allowed to be added to a Kubernetes cluster container",
          "description": "Use an empty list as input to block everything"
        },
        "defaultValue": []
      },
      "requiredDropCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": {
        "type": "Array",
        "metadata": {
          "displayName": "The list of capabilities that must be dropped by a Kubernetes cluster container",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": []
      },
      "effect-511f5417-5d12-434d-ab2e-816901e72a5e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed AppArmor profiles",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedProfiles-511f5417-5d12-434d-ab2e-816901e72a5e": {
        "type": "Array",
        "metadata": {
          "displayName": "The list of AppArmor profiles that containers are allowed to use",
          "description": "Ex: 'runtime/default;docker/default'; use an empty list as input to block everything; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": []
      },
      "effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pods should only use approved host network and port range",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Allow host network usage for Kubernetes cluster pods",
          "description": "Set this value to true if pod is allowed to use host network, otherwise set to false; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": false
      },
      "minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Integer",
        "metadata": {
          "displayName": "Minimum value in the allowable host port range that Kubernetes cluster pods can use in the host network namespace",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": 0
      },
      "maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": {
        "type": "Integer",
        "metadata": {
          "displayName": "Maximum value in the allowable host port range that Kubernetes cluster pods can use in the host network namespace",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": 0
      },
      "effect-098fc59e-46c7-4d99-9b16-64990e543d75": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Kubernetes cluster pod hostPath volumes should only use allowed host paths",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "allowedHostPaths-098fc59e-46c7-4d99-9b16-64990e543d75": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed host paths for pod hostPath volumes to use",
          "description": "Use an empty paths list to block all host paths; for more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": {
          "paths": []
        }
      },
      "resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6": {
        "type": "String",
        "metadata": {
          "displayName": "Name of the resource group for Network Watcher",
          "description": "Name of the resource group where Network Watchers are located, Ex: NetworkWatcherRG"
        },
        "defaultValue": "NetworkWatcherRG"
      },
      "includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Include AKS clusters when auditing if virtual machine scale set diagnostic logs are enabled",
          "description": "For more information, visit https://aka.ms/kubepolicydoc"
        },
        "defaultValue": false
      },
      "setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9": {
        "type": "String",
        "metadata": {
          "displayName": "Required auditing setting for SQL servers"
        },
        "allowedValues": [
          "enabled",
          "disabled"
        ],
        "defaultValue": "enabled"
      },
      "evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b": {
        "type": "Array",
        "metadata": {
          "displayName": "API Management SKUs that should use a virtual network",
          "description": "List of API Management SKUs against which this policy will be evaluated"
        },
        "allowedValues": [
          "Developer",
          "Basic",
          "Standard",
          "Premium",
          "Consumption"
        ],
        "defaultValue": [
          "Developer",
          "Premium"
        ]
      },
      "effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Service Fabric clusters should only use Azure Active Directory for client authentication",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-71ef260a-8f18-47b7-abcb-62d0673d94dc": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should have local authentication methods disabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Azure Front Door Service service",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Application Gateway",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cosmos DB accounts should have firewall rules",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d9da03a1-f3c3-412a-9709-947156872263": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-617c02be-7f02-4efd-8836-3180d47b6c68": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key vaults should have purge protection enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key vaults should have soft delete enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "maximumValidityInMonths-0a075868-4c26-42ef-914c-5bc007359560": {
        "type": "Integer",
        "metadata": {
          "displayName": "Maximum validity (months) for Key Vault certificates",
          "description": "The limit for how long a Key Vault certificate may be valid; Azure best practices recommend against certificates with lengthy validity periods"
        },
        "defaultValue": 12
      },
      "effect-0a075868-4c26-42ef-914c-5bc007359560": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Certificates should have the specified maximum validity period",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-98728c90-32c7-4049-8429-847dc0f4fe37": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key Vault secrets should have an expiration date",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Key Vault keys should have an expiration date",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Double encryption should be enabled on Azure Data Explorer",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-c349d81b-9985-44ae-a8da-ff98d108ede8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Data Box jobs should enable double encryption for data at rest on the device",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "supportedSKUs-c349d81b-9985-44ae-a8da-ff98d108ede8": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Data Box SKUs that support software-based double encryption",
          "description": "The list of Azure Data Box SKUs that support software-based double encryption"
        },
        "allowedValues": [
          "DataBox",
          "DataBoxHeavy"
        ],
        "defaultValue": [
          "DataBox",
          "DataBoxHeavy"
        ]
      },
      "effect-3657f5a0-770e-44a3-b44e-9431ba1e9735": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Automation account variables should be encrypted",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Stack Edge devices should use double-encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-ea0dfaed-95fb-448c-934e-d6e713ce393d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-3a58212a-c829-4f13-9872-6371df2fd0b4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Infrastructure encryption should be enabled for Azure Database for MySQL servers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-24fba194-95d6-48c0-aea7-f65bf859c598": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should have infrastructure encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-f4b53539-8df9-40e4-86c6-6b607703bd4e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Disk encryption should be enabled on Azure Data Explorer",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-41425d9f-d1a5-499a-9932-f8ed8453932c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-fc4d8e41-e223-45ea-9bf5-eada37891d87": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Virtual machines and virtual machine scale sets should have encryption at host enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-86efb160-8de7-451d-bc08-5d475b0aadae": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "supportedSKUs-86efb160-8de7-451d-bc08-5d475b0aadae": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Data Box SKUs that support customer-managed key encryption key",
          "description": "The list of Azure Data Box SKUs that support customer-managed key encryption key"
        },
        "allowedValues": [
          "DataBox",
          "DataBoxHeavy"
        ],
        "defaultValue": [
          "DataBox",
          "DataBoxHeavy"
        ]
      },
      "effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure data factories should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-64d314f6-6062-4780-a861-c23e8951bee5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure HDInsight clusters should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure HDInsight clusters should use encryption at host to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-fa298e57-9444-42ba-bf04-86e8470e32c7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should enable data encryption with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Machine Learning workspaces should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-81e74cea-30fd-40d5-802f-d72103c2aaaa": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Data Explorer encryption at rest should use a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Container Instance container group should use customer-managed key for encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "effect-47031206-ce96-41f8-861b-6a915f3de284": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Stream Analytics jobs should use customer-managed keys to encrypt data",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-51522a96-0869-4791-82f3-981000c2c67f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Bot Service should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-b5ec538c-daa0-4006-8596-35468b9148e8": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account encryption scopes should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-970f84d8-71b6-4091-9979-ace7e3fb6dbb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: HPC Cache accounts should use customer-managed key for encryption",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Automation accounts should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2e94d99a-8a36-4563-bc77-810d8893b671": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "enableDoubleEncryption-2e94d99a-8a36-4563-bc77-810d8893b671": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Require that double encryption is enabled on Recovery Services vaults for Backup",
          "description": "Check if double encryption is enabled on Recovery Services vaults for Backup; for more information, visit https://aka.ms/ab-infraencryption"
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": true
      },
      "effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Logic Apps Integration Service Environment should be encrypted with customer-managed keys",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Batch account should use customer-managed keys to encrypt data",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1f68a601-6e6d-4e42-babf-3f643a047ea2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Monitor Logs clusters should be encrypted with customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-f7d52b2d-e161-4dfa-a82b-55e564167385": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Synapse workspaces should use customer-managed keys to encrypt data at rest",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-ca91455f-eace-4f96-be59-e6e2c35b4816": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Managed disks should be double encrypted with both platform-managed and customer-managed keys",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-702dd420-7fcc-42c5-afe8-4026edd20fe0": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: OS and data disks should be encrypted with a customer-managed key",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Only secure connections to your Azure Cache for Redis should be enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-404c3081-a854-4457-ae30-26a93ef643f9": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Secure transfer to storage accounts should be enabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-d0793b48-0edc-4296-a390-4c75d1bdfd71": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Container registries should not allow unrestricted network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-7d092e0a-7acd-40d2-a975-dca21cae48c4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cache for Redis should reside within a virtual network",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access using virtual network rules",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-34c877ad-507e-4c82-993e-3452a6e0ad3c": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should restrict network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-55615ac9-af46-4a59-874e-391cc3dfb490": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Key Vault should disable public network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1b8ca024-1d5c-4dec-8995-b1a932b41780": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Public network access on Azure SQL Database should be disabled",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-037eea7a-bd0a-46c5-9a66-03aea78705d3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should restrict network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-53503636-bcc9-4748-9663-5348217f160f": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure SignalR Service should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-40cec1dd-a100-4920-b15b-3024fe8901ab": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Machine Learning workspaces should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-2154edb9-244f-4741-9970-660785bccdaa": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: VM Image Builder templates should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Cognitive Services accounts should disable public network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-5f0bc445-3935-4915-9981-011aa2b46147": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Private endpoint should be configured for Key Vault",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-af35e2a4-ef96-44e7-a9ae-853dd97032c4": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Spring Cloud should use network injection",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Disabled",
          "Deny"
        ],
        "defaultValue": "Audit"
      },
      "evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4": {
        "type": "Array",
        "metadata": {
          "displayName": "Azure Spring Cloud SKUs that should use network injection",
          "description": "List of Azure Spring Cloud SKUs against which this policy will be evaluated"
        },
        "allowedValues": [
          "Standard"
        ],
        "defaultValue": [
          "Standard"
        ]
      },
      "effect-a049bf77-880b-470f-ba6d-9f21c530cf83": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cognitive Search service should use a SKU that supports private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-52630df9-ca7e-442b-853b-c6ce548b31a2": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Web PubSub Service should use private link",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage account public access should be disallowed",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "effect-ee980b6d-0eca-4501-8d54-f6290fd512c3": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Azure Cognitive Search services should disable public network access",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Virtual machines should be migrated to new Azure Resource Manager resources",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606": {
        "type": "String",
        "metadata": {
          "displayName": "Effect for policy: Storage accounts should be migrated to new Azure Resource Manager resources",
          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "logAnalyticsWorkspaceIdforVMReporting": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: Log Analytics workspace ID for VM agent reporting",
          "deprecated": true
        },
        "defaultValue": ""
      },
      "listOfResourceTypesWithDiagnosticLogsEnabled": {
        "type": "Array",
        "metadata": {
          "displayName": "[Deprecated]: List of resource types that should have resource logs enabled",
          "deprecated": true
        },
        "allowedValues": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ],
        "defaultValue": []
      },
      "listOfMembersToExcludeFromWindowsVMAdministratorsGroup": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: List of users excluded from Windows VM Administrators group",
          "deprecated": true
        },
        "defaultValue": ""
      },
      "listOfMembersToIncludeInWindowsVMAdministratorsGroup": {
        "type": "String",
        "metadata": {
          "displayName": "[Deprecated]: List of users that must be included in Windows VM Administrators group",
          "deprecated": true
        },
        "defaultValue": ""
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "72650e9f-97bc-4b2a-ab5f-9781a9fcecbc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "fc9b3da7-8347-4380-8e70-0a0361d8dedd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "bed48b13-6647-468e-aa2f-1af1d3f4dd40",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "NotAvailableMachineState": {
            "value": "[parameters('NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-3",
          "NIST_SP_800-53_R4_SI-3",
          "NIST_SP_800-53_R4_SI-3(1)",
          "NIST_SP_800-53_R4_SI-16"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatLinuxVMsHaveThePasswdFilePermissionsSeTTo0644",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatWindowsVMsCannotreUseThePrevious24Passwords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatWindowsVMsStorePasswordsUsingReversibleEncryption",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da0f98fe-a24b-4ad5-af69-bd0400233661",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatWindowsVMsHaveAMaximumPasswordAgeOf70days",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ceb8dc2-559c-478b-a15b-733fbf1e3738",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditThatWindowsWebServersAreUsingScureCommunicationProtocols",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          },
          "MinimumTLSVersion": {
            "value": "[parameters('MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "630c64f9-8b6b-4c64-b511-6544ceff6fd6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatWindowsVMsHaveAMinimumPasswordAgeOf1Day",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237b38db-ca4d-4259-9e47-7882441ca2c0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatLinuxVMsDoNotAllowRemoteConnectionsFromAccountsWithoutPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatWindowsVMsHaveThePasswordComplexitySettingEnabled",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatWindowsVMsRestrictTheMinimumPasswordLengthTo14Characters",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditThatLinuxVMsDoNotHaveAccountsWithoutPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "34f95f76-5386-4de7-b824-0d8478470c9d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "428256e6-1fac-4f48-a757-df34c2b3336d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d",
        "parameters": {
          "requiredRetentionDays": {
            "value": "[parameters('requiredRetentionDays')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "febd0533-8e55-448f-b837-bd0e06f16469",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-febd0533-8e55-448f-b837-bd0e06f16469')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedContainerImagesRegex": {
            "value": "[parameters('allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "95edb821-ddaf-4404-9732-666045e056b4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-95edb821-ddaf-4404-9732-666045e056b4')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "excludedContainers": {
            "value": "[parameters('excludedContainers-95edb821-ddaf-4404-9732-666045e056b4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "440b515e-a580-421e-abeb-b159a61ddcbc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-440b515e-a580-421e-abeb-b159a61ddcbc')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedContainerPortsList": {
            "value": "[parameters('allowedContainerPortsList-440b515e-a580-421e-abeb-b159a61ddcbc')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "233a2a17-77ca-4fb1-9b6b-69223d272a44",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-233a2a17-77ca-4fb1-9b6b-69223d272a44')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedServicePortsList": {
            "value": "[parameters('allowedServicePortsList-233a2a17-77ca-4fb1-9b6b-69223d272a44')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "e345eecc-fa47-480f-9e88-67dcc122b164",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "cpuLimit": {
            "value": "[parameters('cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          },
          "memoryLimit": {
            "value": "[parameters('memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "f06ddb64-5fa3-4b77-b166-acb36f7f6042",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "runAsUserRule": {
            "value": "[parameters('runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "runAsUserRanges": {
            "value": "[parameters('runAsUserRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "runAsGroupRule": {
            "value": "[parameters('runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "runAsGroupRanges": {
            "value": "[parameters('runAsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "supplementalGroupsRule": {
            "value": "[parameters('supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "supplementalGroupsRanges": {
            "value": "[parameters('supplementalGroupsRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "fsGroupRule": {
            "value": "[parameters('fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          },
          "fsGroupRanges": {
            "value": "[parameters('fsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "df49d893-a74c-421d-bc95-c663042e5b80",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-df49d893-a74c-421d-bc95-c663042e5b80')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedCapabilities": {
            "value": "[parameters('allowedCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          },
          "requiredDropCapabilities": {
            "value": "[parameters('requiredDropCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "511f5417-5d12-434d-ab2e-816901e72a5e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-511f5417-5d12-434d-ab2e-816901e72a5e')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedProfiles": {
            "value": "[parameters('allowedProfiles-511f5417-5d12-434d-ab2e-816901e72a5e')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowHostNetwork": {
            "value": "[parameters('allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "minPort": {
            "value": "[parameters('minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          },
          "maxPort": {
            "value": "[parameters('maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "098fc59e-46c7-4d99-9b16-64990e543d75",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-098fc59e-46c7-4d99-9b16-64990e543d75')]"
          },
          "excludedNamespaces": {
            "value": "[parameters('excludedNamespaces')]"
          },
          "namespaces": {
            "value": "[parameters('namespaces')]"
          },
          "labelSelector": {
            "value": "[parameters('labelSelector')]"
          },
          "allowedHostPaths": {
            "value": "[parameters('allowedHostPaths-098fc59e-46c7-4d99-9b16-64990e543d75')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
        "parameters": {
          "resourceGroupName": {
            "value": "[parameters('resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "7c1b1214-f927-48bf-8882-84f0af6588b1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1",
        "parameters": {
          "includeAKSClusters": {
            "value": "[parameters('includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSQLServerLevelAuditingSettings",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {
          "setting": {
            "value": "[parameters('setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ef619a2c-cc4d-4d03-b2ba-8c94a834d85b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b",
        "parameters": {
          "evaluatedSkuNames": {
            "value": "[parameters('evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-2(1)",
          "NIST_SP_800-53_R4_AC-2(7)",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "71ef260a-8f18-47b7-abcb-62d0673d94dc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-71ef260a-8f18-47b7-abcb-62d0673d94dc')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-2(1)",
          "NIST_SP_800-53_R4_AC-2(7)",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "055aa869-bc98-4af8-bafc-23f1ab6ffe2c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-5",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-5",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "d9da03a1-f3c3-412a-9709-947156872263",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9da03a1-f3c3-412a-9709-947156872263",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d9da03a1-f3c3-412a-9709-947156872263')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "617c02be-7f02-4efd-8836-3180d47b6c68",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-617c02be-7f02-4efd-8836-3180d47b6c68')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "0a075868-4c26-42ef-914c-5bc007359560",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560",
        "parameters": {
          "maximumValidityInMonths": {
            "value": "[parameters('maximumValidityInMonths-0a075868-4c26-42ef-914c-5bc007359560')]"
          },
          "effect": {
            "value": "[parameters('effect-0a075868-4c26-42ef-914c-5bc007359560')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "98728c90-32c7-4049-8429-847dc0f4fe37",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-98728c90-32c7-4049-8429-847dc0f4fe37')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ec068d99-e9c7-401f-8cef-5bdde4e6ccf1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c349d81b-9985-44ae-a8da-ff98d108ede8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c349d81b-9985-44ae-a8da-ff98d108ede8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-c349d81b-9985-44ae-a8da-ff98d108ede8')]"
          },
          "supportedSKUs": {
            "value": "[parameters('supportedSKUs-c349d81b-9985-44ae-a8da-ff98d108ede8')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3657f5a0-770e-44a3-b44e-9431ba1e9735')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b4ac1030-89c5-4697-8e00-28b5ba6a8811",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4ac1030-89c5-4697-8e00-28b5ba6a8811",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ea0dfaed-95fb-448c-934e-d6e713ce393d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea0dfaed-95fb-448c-934e-d6e713ce393d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ea0dfaed-95fb-448c-934e-d6e713ce393d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "3a58212a-c829-4f13-9872-6371df2fd0b4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-3a58212a-c829-4f13-9872-6371df2fd0b4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "24fba194-95d6-48c0-aea7-f65bf859c598",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/24fba194-95d6-48c0-aea7-f65bf859c598",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-24fba194-95d6-48c0-aea7-f65bf859c598')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4733ea7b-a883-42fe-8cac-97454c2a9e4a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "f4b53539-8df9-40e4-86c6-6b607703bd4e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f4b53539-8df9-40e4-86c6-6b607703bd4e')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "41425d9f-d1a5-499a-9932-f8ed8453932c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-41425d9f-d1a5-499a-9932-f8ed8453932c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "fc4d8e41-e223-45ea-9bf5-eada37891d87",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fc4d8e41-e223-45ea-9bf5-eada37891d87')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "86efb160-8de7-451d-bc08-5d475b0aadae",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-86efb160-8de7-451d-bc08-5d475b0aadae')]"
          },
          "supportedSKUs": {
            "value": "[parameters('supportedSKUs-86efb160-8de7-451d-bc08-5d475b0aadae')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "4ec52d6d-beb7-40c4-9a9e-fe753254690e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "64d314f6-6062-4780-a861-c23e8951bee5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64d314f6-6062-4780-a861-c23e8951bee5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-64d314f6-6062-4780-a861-c23e8951bee5')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "fa298e57-9444-42ba-bf04-86e8470e32c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa298e57-9444-42ba-bf04-86e8470e32c7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-fa298e57-9444-42ba-bf04-86e8470e32c7')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "67121cc7-ff39-4ab8-b7e3-95b84dab487d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1f905d99-2ab7-462c-a6b0-f709acca6c8f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ba769a63-b8cc-4b2d-abf6-ac33c7204be8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "81e74cea-30fd-40d5-802f-d72103c2aaaa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-81e74cea-30fd-40d5-802f-d72103c2aaaa')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "0aa61e00-0a01-4a3c-9945-e93cffedf0e6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "47031206-ce96-41f8-861b-6a915f3de284",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47031206-ce96-41f8-861b-6a915f3de284",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-47031206-ce96-41f8-861b-6a915f3de284')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "87ba29ef-1ab3-4d82-b763-87fcd4f531f7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "51522a96-0869-4791-82f3-981000c2c67f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-51522a96-0869-4791-82f3-981000c2c67f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "b5ec538c-daa0-4006-8596-35468b9148e8",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-b5ec538c-daa0-4006-8596-35468b9148e8')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "970f84d8-71b6-4091-9979-ace7e3fb6dbb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/970f84d8-71b6-4091-9979-ace7e3fb6dbb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-970f84d8-71b6-4091-9979-ace7e3fb6dbb')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "56a5ee18-2ae6-4810-86f7-18e39ce5629b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "2e94d99a-8a36-4563-bc77-810d8893b671",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2e94d99a-8a36-4563-bc77-810d8893b671')]"
          },
          "enableDoubleEncryption": {
            "value": "[parameters('enableDoubleEncryption-2e94d99a-8a36-4563-bc77-810d8893b671')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "99e9ccd8-3db9-4592-b0d1-14b1715a4d8a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "1f68a601-6e6d-4e42-babf-3f643a047ea2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f68a601-6e6d-4e42-babf-3f643a047ea2",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1f68a601-6e6d-4e42-babf-3f643a047ea2')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "f7d52b2d-e161-4dfa-a82b-55e564167385",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-f7d52b2d-e161-4dfa-a82b-55e564167385')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "7d7be79c-23ba-4033-84dd-45e2a5ccdd67",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ca91455f-eace-4f96-be59-e6e2c35b4816",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ca91455f-eace-4f96-be59-e6e2c35b4816')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "702dd420-7fcc-42c5-afe8-4026edd20fe0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-702dd420-7fcc-42c5-afe8-4026edd20fe0')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditEnablingOfOnlySecureConnectionsToYourRedisCache",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSecureTransferToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-404c3081-a854-4457-ae30-26a93ef643f9')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "d0793b48-0edc-4296-a390-4c75d1bdfd71",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-d0793b48-0edc-4296-a390-4c75d1bdfd71')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7d092e0a-7acd-40d2-a975-dca21cae48c4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-7d092e0a-7acd-40d2-a975-dca21cae48c4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUnrestrictedNetworkAccessToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-34c877ad-507e-4c82-993e-3452a6e0ad3c')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "55615ac9-af46-4a59-874e-391cc3dfb490",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-55615ac9-af46-4a59-874e-391cc3dfb490')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1b8ca024-1d5c-4dec-8995-b1a932b41780",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1b8ca024-1d5c-4dec-8995-b1a932b41780')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "037eea7a-bd0a-46c5-9a66-03aea78705d3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-037eea7a-bd0a-46c5-9a66-03aea78705d3')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "53503636-bcc9-4748-9663-5348217f160f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-53503636-bcc9-4748-9663-5348217f160f')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "40cec1dd-a100-4920-b15b-3024fe8901ab",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-40cec1dd-a100-4920-b15b-3024fe8901ab')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "2154edb9-244f-4741-9970-660785bccdaa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-2154edb9-244f-4741-9970-660785bccdaa')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "5f0bc445-3935-4915-9981-011aa2b46147",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-5f0bc445-3935-4915-9981-011aa2b46147')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "af35e2a4-ef96-44e7-a9ae-853dd97032c4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-af35e2a4-ef96-44e7-a9ae-853dd97032c4')]"
          },
          "evaluatedSkuNames": {
            "value": "[parameters('evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "a049bf77-880b-470f-ba6d-9f21c530cf83",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-a049bf77-880b-470f-ba6d-9f21c530cf83')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "52630df9-ca7e-442b-853b-c6ce548b31a2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/52630df9-ca7e-442b-853b-c6ce548b31a2",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-52630df9-ca7e-442b-853b-c6ce548b31a2')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ee980b6d-0eca-4501-8d54-f6290fd512c3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-ee980b6d-0eca-4501-8d54-f6290fd512c3')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "parameters": {
          "effect": {
            "value": "[parameters('effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606')]"
          }
        },
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "b52376f7-9612-48a1-81cd-1ffe4b61032c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditDeprecatedAccountsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-2(1)",
          "NIST_SP_800-53_R4_AC-2(7)",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditCORSResourceAccessRestrictionsForAWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorInternetFacingVirtualMachinesForNetworkSecurityGroupTrafficHardeningRecommendations",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-4(3)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditMinimumNumberOfOwnersForSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditMaximumNumberOfOwnersForASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-6",
          "NIST_SP_800-53_R4_AC-6(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSQLManagedInstancesWithoutAdvancedDataSecurity",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AC-16",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditRemoteDebuggingStateForAFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSQLServersWithoutAdvancedDataSecurity",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-16",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "89099bee-89e0-4b26-a5f4-165451757743",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_CM-7",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SC-3",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-3",
          "NIST_SP_800-53_R4_SI-3(1)",
          "NIST_SP_800-53_R4_SI-4",
          "NIST_SP_800-53_R4_SI-16"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-7",
          "NIST_SP_800-53_R4_CM-7(2)",
          "NIST_SP_800-53_R4_CM-7(5)",
          "NIST_SP_800-53_R4_CM-10",
          "NIST_SP_800-53_R4_CM-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "0ec47710-77ff-4a3d-9181-6aa50af424d0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6",
          "NIST_SP_800-53_R4_CP-6(1)",
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditVirtualMachinesWithoutDisasterRecoveryConfigured",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "013e242c-8828-4970-87b3-ab247555486d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-2(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "6646a0bd-e110-40ca-bb97-84fcee63c414",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(7)",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_IR-6(2)",
          "NIST_SP_800-53_R4_SI-4(12)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditOSVulnerabilitiesOnYourVirtualMachineScaleSetsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditStandardTierOfDDoSProtectionIsEnabledForAVirtualNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditHttpsOnlyAccessForAFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorUnencryptedVMDisksInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditAnyMissingSystemUpdatesOnVirtualMachineScaleSetsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditTheEndpointProtectionSolutionOnVirtualMachineScaleSetsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-3",
          "NIST_SP_800-53_R4_SI-3",
          "NIST_SP_800-53_R4_SI-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorPossibleNetworkJustInTimeJITAccessInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-4(3)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUsageOfCustomRBACRules",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-2(7)",
          "NIST_SP_800-53_R4_AC-6",
          "NIST_SP_800-53_R4_AC-6(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditRemoteDebuggingStateForAWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "123a3936-f020-408a-ba0c-47873faf1534",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-7",
          "NIST_SP_800-53_R4_CM-7(2)",
          "NIST_SP_800-53_R4_CM-7(5)",
          "NIST_SP_800-53_R4_CM-10",
          "NIST_SP_800-53_R4_CM-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "48af4db5-9b8b-401c-8e74-076be876a430",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6",
          "NIST_SP_800-53_R4_CP-6(1)",
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "6e2593d9-add6-4083-9c9b-4b7d2188c899",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_IR-6(2)",
          "NIST_SP_800-53_R4_SI-4(12)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditHttpsOnlyAccessForAWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "048248b0-55cd-46da-b1ff-39efd52db260",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditTransparentDataEncryptionStatus",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-3",
          "NIST_SP_800-53_R4_SI-3",
          "NIST_SP_800-53_R4_SI-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditRemoteDebuggingStateForAnAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e6763cc-5078-4e64-889d-ff4d9a839047",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "82339799-d096-41ae-8538-b108becf0970",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6",
          "NIST_SP_800-53_R4_CP-6(1)",
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "2b9ad585-36bc-4615-b300-fd4435808332",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0b15565f-aa9e-48ba-8619-45960f2c314d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_IR-6(2)",
          "NIST_SP_800-53_R4_SI-4(12)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditHttpsOnlyAccessForAnApiApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "fc5e4038-4584-4632-8c85-c0448d374b2c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditExternalAccountsWithReadPermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "e71308d3-144b-4262-b144-efdc3cc90517",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "d62cfe2b-3ab0-4d41-980d-76803b58ca65",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2",
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_IA-2",
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_IA-5",
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "bd352bd5-2853-4985-bf0d-73806b4a5744",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-5",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditExternalAccountsWithWritePermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "6581d072-105e-4418-827f-bd446d56421b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "a4fe33eb-e377-4efb-ab31-0784311bc499",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorVMVulnerabilitiesInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "6fac406b-40ca-413b-bf8e-0bf964659c25",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "bb91dfba-c30d-4263-9add-9c2384e659a6",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "a3a6ea0c-e018-4933-9ef0-5aaa1501449b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0a15ec92-a229-4763-bb14-0ea34a568f8d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ae89ebca-1c92-4898-ac2c-9f63decb045c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "d26f7642-7545-4e18-9b75-8c9bbdee3a9a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "e8cbc669-f12d-49eb-93e7-9273119e9933",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "83cef61d-dbd1-4b20-a4fc-5fbc7da10833",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "6ba6d016-e7c3-4842-b8f2-4992ebc0d72d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "22730e10-96f6-4aac-ad84-9383d35b5917",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "18adea5e-f416-4d0f-8aa8-d24321e3e274",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "0564d078-92f5-4f97-8398-b9f58a51f70b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "842c54e8-c2f9-4d79-ae8d-38d8b8019373",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0a1302fb-a631-4106-9753-f3d494733990",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "8dfab9c4-fe7b-49ad-85e4-1e9be085358f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8dfab9c4-fe7b-49ad-85e4-1e9be085358f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "475aae12-b88a-4572-8b36-9b712b2b3a17",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "0049a6b3-a662-4f3e-8635-39cf44ace45a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0049a6b3-a662-4f3e-8635-39cf44ace45a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "f9d614c5-c173-4d56-95a7-b4437057d193",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7595c971-233d-4bcf-bd18-596129188c49",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "c3d20c29-b36d-48fe-808b-99a87530ad99",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "2f2ee1de-44aa-4762-b6bd-0893fc3f306d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "399b2637-a50f-4f95-96f8-3a145476eb15",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "bdc59948-5574-49b3-bb91-76b7c986428d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)",
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_IR-4",
          "NIST_SP_800-53_R4_IR-5",
          "NIST_SP_800-53_R4_RA-5",
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "04c4380f-3fae-46e8-96c9-30193528f602",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6",
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)",
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "295fc8b1-dc9f-4f53-9c61-3f313ceab40a",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "fb74e86f-d351-4b8d-b034-93da7391c01f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb74e86f-d351-4b8d-b034-93da7391c01f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28",
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "e8eef0a8-67cf-4eb4-9386-14b0e78733d4",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8",
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ca610c1d-041c-4332-9d88-7ed3094967c7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "d9844e8a-1437-4aeb-a32c-0c992f056095",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "9830b652-8523-49cc-b1b3-e17dce1127ca",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "4b90e17e-8448-49db-875e-bd83fb6f804f",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "fb893a29-21bb-418c-a157-e99480ec364c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "a1ad735a-e96f-45d2-a7b2-9a4932cab7ec",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "7261b898-8a84-4db8-9e04-18527132abb3",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "496223c3-ad65-4ecd-878a-bae78737e9ed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "eaebaea7-8013-4ceb-9d14-7eb32271373c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0c192fe8-9cbb-4516-85b3-0ade8bd03886",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "5f0f936f-2f01-4bf5-b6be-d423792fa562",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "88999f4c-376a-45c8-bcb3-4058f713cf39",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "6edd7eda-6dd8-40f7-810d-67160c639cd9",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7008174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7698e800-9299-47a6-b3b6-5a0fee576eed",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7238174a-fd10-4ef0-817e-fc820a951d73",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "74c3584d-afae-46f7-a20a-6f8adba71a16",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "0fda3595-9f2b-4592-8675-4231d6fa82fe",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fda3595-9f2b-4592-8675-4231d6fa82fe",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "cddd188c-4b82-4c48-a19d-ddf74ee66a01",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cddd188c-4b82-4c48-a19d-ddf74ee66a01",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "051cba44-2429-45b9-9649-46cec11c7119",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "8b0323be-cc25-4b61-935d-002c3798c6ea",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b0323be-cc25-4b61-935d-002c3798c6ea",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "f39f5f49-4abf-44de-8c70-0756997bfb51",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f39f5f49-4abf-44de-8c70-0756997bfb51",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "58440f8a-10c5-4151-bdce-dfbaad4a20b7",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/58440f8a-10c5-4151-bdce-dfbaad4a20b7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "7803067c-7d34-46e3-8c79-0ca68fc4036d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7803067c-7d34-46e3-8c79-0ca68fc4036d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b8564268-eb4a-4337-89be-a19db070c59d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b8564268-eb4a-4337-89be-a19db070c59d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "df39c015-56a4-45de-b4a3-efe77bed320d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df39c015-56a4-45de-b4a3-efe77bed320d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1c06e275-d63d-4540-b761-71f364c2111d",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c06e275-d63d-4540-b761-71f364c2111d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1d320205-c6a1-4ac6-873d-46224024e8e2",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d320205-c6a1-4ac6-873d-46224024e8e2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)",
          "NIST_SP_800-53_R4_AU-6(5)",
          "NIST_SP_800-53_R4_AU-12",
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "1ee56206-5dd1-42ab-b02d-8aae8b1634ce",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1ee56206-5dd1-42ab-b02d-8aae8b1634ce",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "72d11df1-dd8a-41f7-8925-b05b960ebafc",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72d11df1-dd8a-41f7-8925-b05b960ebafc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4",
          "NIST_SP_800-53_R4_AC-17",
          "NIST_SP_800-53_R4_AC-17(1)",
          "NIST_SP_800-53_R4_SC-7",
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "bf045164-79ba-4215-8f95-f8048dc1780b",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6",
          "NIST_SP_800-53_R4_CP-6(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "d38fc420-0735-4ef3-ac11-c806f651a570",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6",
          "NIST_SP_800-53_R4_CP-6(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "991310cd-e9f3-47bc-b7b6-f57b557d07db",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "e2c1c086-2d84-4019-bff3-c44ccd95113c",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "8c122334-9d20-4eb8-89ea-ac9a705b74ae",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2",
          "NIST_SP_800-53_R4_SI-2(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1000",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2ef3cc79-733e-48ed-ab6f-7bf439e9b406",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1001",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4e26f8c3-4bf3-4191-b8fc-d888805101b7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1002",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632024c2-8079-439d-a7f6-90af1d78cc65",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1003",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1004",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c17822dc-736f-4eb4-a97d-e6be662ff835",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1005",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b626abc-26d4-4e22-9de8-3831818526b1",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1006",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aae8d54c-4bce-4c04-b3aa-5b65b67caac8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1007",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17200329-bf6c-46d8-ac6d-abf4641c2add",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1008",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8356cfc6-507a-4d20-b818-08038011cd07",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1009",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b26f8610-e615-47c2-abd6-c00b2b0b503a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1010",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/784663a8-1eb0-418a-a98c-24d19bc1bb62",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1011",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7e6a54f3-883f-43d5-87c4-172dfd64a1f5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1012",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/efd7b9ae-1db6-4eb6-b0fe-87e6565f9738",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1013",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8fd7b917-d83b-4379-af60-51e14e316c61",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1014",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5dee936c-8037-4df1-ab35-6635733da48c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1015",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/544a208a-9c3f-40bc-b1d1-d7e144495c14",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1016",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d8b43277-512e-40c3-ab00-14b3b6e72238",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1017",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fc3db37-e59a-48c1-84e9-1780cedb409e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1018",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9121abf-e698-4ee9-b1cf-71ee528ff07f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1019",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6a3ee9b2-3977-459c-b8ce-2db583abd9f7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1020",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b291ee8-3140-4cad-beb7-568c077c78ce",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1021",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9a3eb0a3-428d-4669-baff-20a14eb4b551",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(9)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1022",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/411f7e2d-9a0b-4627-a0b9-1700432db47d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(10)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1023",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e55698b6-3dea-4aa9-99b9-d8218c6ab6e5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(11)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1024",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1025",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(12)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1026",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55419419-c597-4cd4-b51e-009fd2266783",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-2(13)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1027",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1028",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f171df5c-921b-41e9-b12b-50801c315475",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1029",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4(8)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1030",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d3531453-b869-4606-9122-29c1cd6e7ed1",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-4(21)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1031",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b93a801-fe25-4574-a60d-cb22acffae00",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1032",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5aa85661-d618-46b8-a20f-ca40a86f0751",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1033",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48540f01-fc11-411a-b160-42807c68896e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1034",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/02a5ed00-6d2e-4e97-9a98-46c32c057329",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1035",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca94b046-45e2-444f-a862-dc8ce262a516",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-6(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1036",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9a16d673-8cf0-4dcf-b1d5-9b3e114fef71",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-6(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1037",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa4c2a3d-1294-41a3-9ada-0e540471e9fb",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-6(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1038",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26692e88-71b7-4a5f-a8ac-9f31dd05bd8e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-6(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1039",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a7b9de4-a8a2-4672-914d-c5f6752aa7f9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-6(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1040",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/54205576-cec9-463f-ba44-b4b3f5d0a84c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-6(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1041",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b3d8d15b-627a-4219-8c96-4d16f788888b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-6(8)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1042",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/319dc4f0-0fed-4ac9-8fc3-7aeddee82c07",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-6(9)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1043",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/361a77f6-0f9c-4748-8eec-bc13aaaa2455",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-6(10)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1044",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0abbac52-57cf-450d-8408-1208d0dd9e90",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1045",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/554d2dd6-f3a8-4ad5-b66f-5ce23bd18892",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1046",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b1aa965-7502-41f9-92be-3e2fe7cc392a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-7(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1047",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1048",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/483e7ca9-82b3-45a2-be97-b93163a0deb7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1049",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9adf7ba7-900a-4f35-8d57-9f34aafc405c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1050",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd20184c-b4ec-4ce5-8db6-6e86352d183f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1051",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1052",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/027cae1c-ec3e-4492-9036-4168d540c42a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1053",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7582b19c-9dba-438e-aed8-ede59ac35ba3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-11(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1054",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5807e1b4-ba5e-4718-8689-a0ca05a191b2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1055",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/769efd9b-3587-4e22-90ce-65ddcd5bd969",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1056",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac43352f-df83-4694-8738-cfce549fd08d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1057",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78255758-6d45-4bf0-a005-7016bc03b13c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-14"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1058",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/76e85d08-8fbb-4112-a1c1-93521e6a9254",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-14"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1059",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a29b5d9f-4953-4afe-b560-203a6410b6b4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1060",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34a987fd-2003-45de-a120-014956581f2b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1061",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7ac22808-a2e8-41c4-9d46-429b50738914",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1062",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4708723f-e099-4af1-bbf9-b6df7642e444",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1063",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/593ce201-54b2-4dd0-b34f-c308005d7780",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1064",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1065",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f87b8085-dca9-4cf1-8f7b-9822b997797c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1066",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4455c2e8-c65d-4acf-895e-304916f90b36",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-17(9)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1067",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c5e54f6-0127-44d0-8b61-f31dc8dd6190",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-18"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1068",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d045bca-a0fd-452e-9f41-4ec33769717c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-18"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1069",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/91c97b44-791e-46e9-bad7-ab7c4949edbb",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-18(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1070",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/68f837d0-8942-4b1e-9b31-be78b247bda8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-18(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1071",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a437f5b-9ad6-4f28-8861-de404d511ae4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-18(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1072",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1ca29e41-34ec-4e70-aba9-6248aca18c31",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-18(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1073",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-19"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1074",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/27a69937-af92-4198-9b86-08d355c7e59a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-19"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1075",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc933d22-04df-48ed-8f87-22a3773d4309",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-19(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1076",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98a4bd5f-6436-46d4-ad00-930b5b1dfed4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-20"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1077",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2dad3668-797a-412e-a798-07d3849a7a79",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-20"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1078",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-20(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1079",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-20(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1080",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-20(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1081",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3867f2a9-23bb-4729-851f-c3ad98580caf",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-21"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1082",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/24d480ef-11a0-4b1b-8e70-4e023bf2be23",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-21"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1083",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4e319cb6-2ca3-4a58-ad75-e67f484e50ec",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-22"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1084",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0eb15db-dd1c-4d1d-b200-b12dd6cd060c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-22"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1085",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13d117e0-38b0-4bbb-aaab-563be5dd10ba",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-22"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1086",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb321e6f-16a0-4be3-878f-500956e309c5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AC-22"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1087",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/100c82ba-42e9-4d44-a2ba-94b209248583",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AT-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1088",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d50f99d-1356-49c0-934a-45f742ba7783",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AT-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1089",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef080e67-0d1a-4f76-a0c5-fb9b0358485e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AT-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1090",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2fb740e5-cbc7-4d10-8686-d1bf826652b1",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AT-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1091",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b23bd715-5d1c-4e5c-9759-9cbdf79ded9d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AT-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1092",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8a29d47b-8604-4667-84ef-90d203fcb305",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AT-2(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1093",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a0bdeeb-15f4-47e8-a1da-9f769f845fdf",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AT-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1094",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4b1853e0-8973-446b-b567-09d901d31a09",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AT-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1095",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc3f6f7a-057b-433e-9834-e8c97b0194f6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AT-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1096",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/420c1477-aa43-49d0-bd7e-c4abdd9addff",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AT-3(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1097",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf3e4836-f19e-47eb-a8cd-c3ca150452c0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AT-3(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1098",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/84363adb-dde3-411a-9fc1-36b56737f822",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1099",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/01910bab-8639-4bd0-84ef-cc53b24d79ba",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AT-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1100",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4057863c-ca7d-47eb-b1e0-503580cba8a4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1101",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7327b708-f0e0-457d-9d2a-527fcc9c9a65",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1102",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9943c16a-c54c-4b4a-ad28-bfd938cdbf57",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1103",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/16feeb31-6377-437e-bbab-d7f73911896d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1104",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cdd8d244-18b2-4306-a1d1-df175ae0935f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1105",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b73f57b-587d-4470-a344-0b0ae805f459",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1106",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d2b4feae-61ab-423f-a4c5-0e38ac4464d8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-2(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1107",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b29ed931-8e21-4779-8458-27916122a904",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1108",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9ad559e-c12d-415e-9a78-e50fdd7da7ba",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1109",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-3(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1110",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6182bfa7-0f2a-43f5-834a-a2ddf31c13c7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1111",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21de687c-f15e-4e51-bf8d-f35c8619965b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1112",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d530aad8-4ee2-45f4-b234-c061dae683c0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1113",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/562afd61-56be-4313-8fe4-b9564aa4ba7d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1114",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4c090801-59bc-4454-bb33-e0455133486a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-5(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1115",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b653845-2ad9-4e09-a4f3-5a7c1d78353d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1116",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e47bc51-35d1-44b8-92af-e2f2d8b67635",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1117",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fbfe680-6dbb-4037-963c-a621c5635902",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1118",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a96f743d-a195-420d-983a-08aa06bc441e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1119",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/845f6359-b764-4b40-b579-657aefe23c44",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1120",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c69b870e-857b-458b-af02-bb234f7a00d3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1121",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1122",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/243ec95e-800c-49d4-ba52-1fdd9f6b8b57",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1123",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/03996055-37a4-45a5-8b70-3f1caa45f87d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-6(10)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1124",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c10152dd-78f8-4335-ae2d-ad92cc028da4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1125",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c6ce745a-670e-47d3-a6c4-3cfe5ef00c10",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1126",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f37f71b-420f-49bf-9477-9c0196974ecf",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-7(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1127",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3ce328db-aef3-48ed-9f81-2ab7cf839c66",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1128",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef212163-3bc4-4e86-bcf8-705127086393",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1129",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71bb965d-4047-4623-afd4-b8189a58df5d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1130",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fd7c4c1d-51ee-4349-9dab-89a7f8c8d102",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1131",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b472a17e-c2bc-493f-b50b-42d55a346962",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1132",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/05938e10-cdbd-4a54-9b2b-1cbcfc141ad0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-9(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1133",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90b60a09-133d-45bc-86ef-b206a6134bbe",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-9(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1134",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4e95f70e-181c-4422-9da2-43079710c789",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-9(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1135",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9c308b6b-2429-4b97-86cf-081b8e737b04",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1136",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/97ed5bac-a92f-4f6d-a8ed-dc094723597c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1137",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4344df62-88ab-4637-b97b-bcaf2ec97e7c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1138",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9c284fc0-268a-4f29-af44-3c126674edb4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1139",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ed62522-de00-4dda-9810-5205733d2f34",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1140",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90d8b8ad-8ee3-4db7-913f-2a53fcff5316",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1141",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fdefbf4-93e7-4513-bc95-c1858b7093e0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_AU-12(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1142",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/01524fa8-4555-48ce-ba5f-c3b8dcef5147",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1143",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c6de11b-5f51-4f7c-8d83-d2467c8a816e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1144",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2fa15ff1-a693-4ee4-b094-324818dc9a51",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1145",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a0724970-9c75-4a64-a225-a28002953f28",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1146",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dd83410c-ecb6-4547-8f14-748c3cbdc7ac",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1147",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8fef824a-29a8-4a4c-88fc-420a39c0d541",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1148",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/28e62650-c7c2-4786-bdfa-17edc1673902",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1149",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e1b855b-a013-481a-aeeb-2bcb129fd35d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-2(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1150",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d630429d-e763-40b1-8fba-d20ba7314afb",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-2(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1151",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/347e3b69-7fb7-47df-a8ef-71a1a7b44bca",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1152",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/beff0acf-7e67-40b2-b1ca-1a0e8205cf1b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1153",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/61cf3125-142c-4754-8a16-41ab4d529635",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1154",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-3(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1155",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d33f9f1-12d0-46ad-9fbd-8f8046694977",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-3(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1156",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d52e864-9a3b-41ee-8f03-520815fe5378",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1157",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/15495367-cf68-464c-bbc3-f53ca5227b7a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1158",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fff50cf2-28eb-45b4-b378-c99412688907",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1159",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0925f098-7877-450b-8ba4-d1e55f2d8795",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1160",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3e797ca6-2aa8-4333-b335-7036f1110c05",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1161",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2f8f6c6-dde4-436b-a79d-bc50e129eb3a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1162",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1163",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/961663a1-8a91-4e59-b6f5-1eee57c0f49c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1164",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fb8d3ce-9e96-481c-9c68-88d4e3019310",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1165",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47e10916-6c9e-446b-b0bd-ff5fd439d79d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1166",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bb02733d-3cc5-4bb0-a6cd-695ba2c2272e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1167",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cbb2be76-4891-430b-95a7-ca0b0a3d1300",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1168",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82409f9e-1f32-4775-bf07-b99d53a91b06",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-7(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1169",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e7ba2cb3-5675-4468-8b50-8486bdd998a5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1170",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1171",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d4820bc-8b61-4982-9501-2123cb776c00",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1172",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b43e946e-a4c8-4b92-8201-4a39331db43c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1173",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4aff9e7-2e60-46fa-86be-506b79033fc5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CA-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1174",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/42a9a714-8fbb-43ac-b115-ea12d2bd652f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1175",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dab4254-c30d-4bb7-ae99-1d21586c063c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1176",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c30690a5-7bf3-467f-b0cd-ef5c7c7449cd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1177",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1178",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7818b8f4-47c6-441a-90ae-12ce04e99893",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1179",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1180",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/874e7880-a067-42a7-bcbe-1a340f54c8cc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-2(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1181",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21839937-d241-4fa5-95c6-b669253d9ab9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-2(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1182",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f34f554-da4b-4786-8d66-7915c90893da",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-2(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1183",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5352e3e0-e63a-452e-9e5f-9c1d181cff9c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-2(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1184",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13579d0e-0ab0-4b26-b0fb-d586f6d7ed20",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1185",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6420cd73-b939-43b7-9d99-e8688fea053c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1186",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b95ba3bd-4ded-49ea-9d10-c6f4b680813d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1187",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f2b2f9e-4ba6-46c3-907f-66db138b6f85",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1188",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bb20548a-c926-4e4d-855c-bcddc6faf95e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1189",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee45e02a-4140-416c-82c4-fecfea660b9d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1190",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c66a3d1e-465b-4f28-9da5-aef701b59892",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1191",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f26a61b-a74d-467c-99cf-63644db144f7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1192",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ebd97f7-b105-4f50-8daf-c51465991240",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1193",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1194",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc34667f-397e-4a65-9b72-d0358f0b6b09",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1195",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d1e1d65c-1013-4484-bd54-991332e6a0d2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1196",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4e7f4ea4-dd62-44f6-8886-ac6137cf52b0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1197",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a20d2eaa-88e2-4907-96a2-8f3a05797e5c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1198",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f56be5c3-660b-4c61-9078-f67cf072c356",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1199",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9a08d1c-09b1-48f1-90ea-029bbdf7111e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-3(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1200",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e98fe9d7-2ed3-44f8-93b7-24dca69783ff",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1201",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7daef997-fdd3-461b-8807-a608a6dd70f1",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-4(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1202",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40a2a83b-74f2-4c02-ae65-f460a5d2792a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1203",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9012d14-e3e6-4d7b-b926-9f37b5537066",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1204",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0f4f6750-d1ab-4a4c-8dfd-af3237682665",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-5(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1205",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b070cab-0fb8-4e48-ad29-fc90b4c2797c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-5(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1206",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e0de232d-02a0-4652-872d-88afb4ae5e91",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-5(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1207",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8713a0ed-0d1e-4d10-be82-83dffb39830e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-5(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1208",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5ea87673-d06b-456f-a324-8abcee5c159f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1209",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ce669c31-9103-4552-ae9c-cdef4e03580d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1210",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3502c968-c490-4570-8167-1476f955e9b8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1211",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6a8b9dc8-6b00-4701-aa96-bba3277ebf50",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1212",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56d970ee-4efc-49c8-8a4e-5916940d784c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1213",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81f11e32-a293-4a58-82cd-134af52e2318",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-6(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1214",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f714a4e2-b580-47b6-ae8c-f2812d3750f3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1215",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88fc93e8-4745-4785-b5a5-b44bb92c44ff",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1216",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7894fe6a-f5cb-44c8-ba90-c3f254ff9484",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-7(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1217",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/edea4f20-b02c-4115-be75-86c080e5c0ed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-7(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1218",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4a1d0394-b9f5-493e-9e83-563fd0ac4df8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-7(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1219",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a39ac75-622b-4c88-9a3f-45b7373f7ef7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-7(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1220",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c40f31a7-81e1-4130-99e5-a02ceea2a1d6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-7(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1221",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22589a07-0007-486a-86ca-95355081ae2a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-7(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1222",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb39e62f-6bda-4558-8088-ec03d5670914",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1223",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1224",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/28cfa30b-7f72-47ce-ba3b-eed26c8d2c82",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1225",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8d096fe0-f510-4486-8b4d-d17dc230980b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-8(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1226",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c158eb1c-ae7e-4081-8057-d527140c4e0c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-8(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1227",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/03b78f5e-4877-4303-b0f4-eb6583f25768",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-8(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1228",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/39c54140-5902-4079-8bb5-ad31936fe764",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-8(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1229",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/03752212-103c-4ab8-a306-7e813022ca9d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-8(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1230",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/11158848-f679-4e9b-aa7b-9fb07d945071",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1231",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/244e0c05-cc45-4fe7-bf36-42dcf01f457d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1232",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/396ba986-eac1-4d6d-85c4-d3fda6b78272",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1233",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d79001f-95fe-45d0-8736-f217e78c1f57",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1234",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b293f881-361c-47ed-b997-bc4e2296bc0b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1235",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c49c610b-ece4-44b3-988c-2172b70d6e46",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1236",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9ba3ed84-c768-4e18-b87c-34ef1aff1b57",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1237",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e80b6812-0bfa-4383-8223-cdd86a46a890",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-10(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1238",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1239",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0be51298-f643-4556-88af-d7db90794879",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1240",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/129eb39f-d79a-4503-84cd-92f036b5e429",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1241",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eca4d7b2-65e2-4e04-95d4-c68606b063c3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CM-11(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1242",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf3b3293-667a-445e-a722-fa0b0afc0958",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1243",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca9a4469-d6df-4ab2-a42f-1213c396f0ec",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1244",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6a13a8f8-c163-4b1b-8554-d63569dab937",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1245",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a0e45314-57b8-4623-80cd-bbb561f59516",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1246",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/398eb61e-8111-40d5-a0c9-003df28f1753",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1247",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4e666db5-b2ef-4b06-aac6-09bfce49151b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1248",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50fc602d-d8e0-444b-a039-ad138ee5deb0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1249",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d3bf4251-0818-42db-950b-afd5b25a51c2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1250",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8de614d8-a8b7-4f70-a62a-6d37089a002c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1251",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e2b3730-8c14-4081-8893-19dbb5de7348",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1252",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a328fd72-8ff5-4f96-8c9c-b30ed95db4ab",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-2(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1253",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0afce0b3-dd9f-42bb-af28-1e4284ba8311",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-2(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1254",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/704e136a-4fe0-427c-b829-cd69957f5d2b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-2(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1255",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f3793f5e-937f-44f7-bfba-40647ef3efa0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-2(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1256",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/232ab24b-810b-4640-9019-74a7d0d6a980",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-2(8)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1257",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b958b241-4245-4bd6-bd2d-b8f0779fb543",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1258",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7814506c-382c-4d33-a142-249dd4a0dbff",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1259",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d9e18f7-bad9-4d30-8806-a0c9d5e26208",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1260",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/42254fc4-2738-4128-9613-72aaa4f0d9c3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1261",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65aeceb5-a59c-4cb1-8d82-9c474be5d431",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1262",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/831e510e-db41-4c72-888e-a0621ab62265",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1263",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41472613-3b05-49f6-8fe8-525af113ce17",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1264",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-4(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1265",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a18adb5b-1db6-4a5b-901a-7d3797d12972",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-4(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1266",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3b4a3eb2-c25d-40bf-ad41-5094b6f59cee",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-4(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1267",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4e97ba1d-be5d-4953-8da4-0cccf28f4805",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1268",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/23f6e984-3053-4dfc-ab48-543b764781f5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1269",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19b9439d-865d-4474-b17d-97d2702fdb66",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1270",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53c76a39-2097-408a-b237-b279f7b4614d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1271",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da3bfb53-9c46-4010-b3db-a7ba1296dada",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-6(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1272",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1273",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e77fcbf2-a1e8-44f1-860e-ed6583761e65",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1274",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2aee175f-cd16-4825-939a-a85349d96210",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1275",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-7(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1276",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e214e563-1206-4a43-a56b-ac5880c9c571",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-7(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1277",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc43e829-3d50-4a0a-aa0f-428d551862aa",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1278",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e5ef485-9e16-4c53-a475-fbb8107eac59",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-7(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1279",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1280",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa108498-b3a8-4ffb-9e79-1107e76afad3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1281",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8dc459b3-0e77-45af-8d71-cfd8c9654fe2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1282",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34042a97-ec6d-4263-93d2-8c1c46823b2a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-8(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1283",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9172e76-7f56-46e9-93bf-75d69bdb5491",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-8(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1284",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-8(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1285",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-8(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1286",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-8(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1287",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/819dc6da-289d-476e-8500-7e341ef8677d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1288",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1289",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a724864-956a-496c-b778-637cb1d762cf",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1290",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92f85ce9-17b7-49ea-85ee-ea7271ea6b82",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1291",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1292",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d03516cf-0293-489f-9b32-a18f2a79f836",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1293",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87f7cd82-2e45-4d0f-9e2f-586b0962d142",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1294",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-9(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1295",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1296",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e57b98a0-a011-4956-a79d-5d17ed8b8e48",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-10(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1297",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/93fd8af1-c161-4bae-9ba9-f62731f76439",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_CP-10(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1298",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1dc784b5-4895-4d27-9d40-a06b032bd1ee",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1299",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fd4e54f7-9ab0-4bae-b6cc-457809948a89",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1300",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99deec7d-5526-472e-b07c-3645a792026a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1301",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1302",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09828c65-e323-422b-9774-9d5c646124da",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-2(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1303",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/80ca0a27-918a-4604-af9e-723a27ee51e8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-2(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1304",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-2(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1305",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d9166a8-1722-4b8f-847c-2cf3f2618b3d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-2(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1306",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-2(8)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1307",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/84e622c8-4bed-417c-84c6-b2fb0dd73682",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-2(9)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1308",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81817e1c-5347-48dd-965a-40159d008229",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-2(11)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1309",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f355d62b-39a8-4ba3-abf7-90f71cb3b000",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-2(12)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1310",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/450d7ede-823d-4931-a99d-57f6a38807dc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1311",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e7568697-0c9e-4ea3-9cec-9e567d14f3c6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1312",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d6a5968-9eef-4c18-8534-376790ab7274",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1313",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36220f5b-79a1-4cdb-8c74-2d2449f9a510",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1314",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef0c8530-efd9-45b8-b753-f03083d06295",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1315",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3aa87116-f1a1-4edb-bfbf-14e036f8d454",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1316",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8ce14753-66e5-465d-9841-26ef55c09c0d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-4(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1317",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8877f519-c166-47b7-81b7-8a8eb4ff3775",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1318",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fced5fda-3bdb-4d73-bfea-0e2c80428b66",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1319",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/66f7ae57-5560-4fc5-85c9-659f204e7a42",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1320",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6f54c732-71d4-4f93-a696-4e373eca3a77",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1321",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb627cc6-3a9d-46b5-96b7-5fca49178a37",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1322",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d1d971e-467e-4278-9633-c74c3d4fecc4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1323",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abe8f70b-680f-470c-9b86-a7edfb664ecc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1324",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cfea2b3-7f77-497e-ac20-0752f2ff6eee",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1325",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1845796a-7581-49b2-ae20-443121538e19",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1326",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8605fc00-1bf5-4fb3-984e-c95cec4f231d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1327",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/03188d8f-1ae5-4fe1-974d-2d7d32ef937d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1328",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f5c66fdc-3d02-4034-9db5-ba57802609de",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1329",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/498f6234-3e20-4b6a-a880-cbd646d973bd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1330",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f75cedb2-5def-4b31-973e-b69e8c7bd031",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1331",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/05460fe2-301f-4ed1-8174-d62c8bb92ff4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1332",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/068260be-a5e6-4b0a-a430-cd27071c226a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1333",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3298d6bf-4bc6-4278-a95d-f7ef3ac6e594",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1334",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44bfdadc-8c2e-4c30-9c99-f005986fabcd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1335",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/382016f3-d4ba-4e15-9716-55077ec4dc2a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1336",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77f56280-e367-432a-a3b9-8ca2aa636a26",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1337",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/463e5220-3f79-4e24-a63f-343e4096cd22",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1338",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c59a207-6aed-41dc-83a2-e1ff66e4a4db",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1339",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/367ae386-db7f-4167-b672-984ff86277c0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1340",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e51ff84b-e5ea-408f-b651-2ecc2933e4c6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1341",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34cb7e92-fe4c-4826-b51e-8cd203fa5d35",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(8)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1342",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/283a4e29-69d5-4c94-b99e-29acf003c899",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(11)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1343",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c251a55-31eb-4e53-99c6-e9c43c393ac2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-5(13)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1344",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1345",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f86aa129-7c07-4aa4-bbf5-792d93ffd9ea",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1346",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/464dc8ce-2200-4720-87a5-dc5952924cc6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1347",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/131a2706-61e9-4916-a164-00e052056462",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1348",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/855ced56-417b-4d74-9d5f-dd1bc81e22d6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-8(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1349",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17641f70-94cd-4a5d-a613-3d1143e20e34",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-8(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1350",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d77fd943-6ba6-4a21-ba07-22b03e347cc4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IA-8(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1351",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bcfb6683-05e5-4ce6-9723-c3fbe9896bdd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1352",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/518cb545-bfa8-43f8-a108-3b7d5037469a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1353",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c785ad59-f78f-44ad-9a7f-d1202318c748",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1354",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9fd92c17-163a-4511-bb96-bbb476449796",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1355",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90e01f69-3074-4de8-ade7-0fef3e7d83e0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1356",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8829f8f5-e8be-441e-85c9-85b72a5d0ef3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1357",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e4213689-05e8-4241-9d4e-8dd1cdafd105",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-2(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1358",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/effbaeef-5bf4-400d-895e-ef8cbc0e64c7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1359",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-3(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1360",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/be5b05e7-0b82-4ebc-9eda-25e447b1a41e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1361",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/03ed3be1-7276-4452-9a5d-e4168565ac67",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1362",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5d169442-d6ef-439b-8dca-46c2c3248214",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1363",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea3e8156-89a1-45b1-8bd6-938abc79fdfd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1364",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4c615c2a-dc83-4dda-8220-abce7b50c9bc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1365",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4116891d-72f7-46ee-911c-8056cc8dcbd5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1366",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06c45c30-ae44-4f0f-82be-41331da911cc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1367",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/435b2547-6374-4f87-b42d-6e8dbe6ae62a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1368",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/465f32da-0ace-4603-8d1b-7be5a3a702de",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-4(8)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1369",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18cc35ed-a429-486d-8d59-cb47e87304ed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1370",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/924e1b2d-c502-478f-bfdb-a7e09a0d5c01",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1371",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9447f354-2c85-4700-93b3-ecdc6cb6a417",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1372",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25b96717-c912-4c00-9143-4e487f411726",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1373",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4cca950f-c3b7-492a-8e8f-ea39663c14f9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-6(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1374",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cc5c8616-52ef-4e5e-8000-491634ed9249",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1375",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/00379355-8932-4b52-b63a-3bc6daf3451a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-7(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1376",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/493a95f3-f2e3-47d0-af02-65e6d6decc2f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-7(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1377",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/68434bd1-e14b-4031-9edb-a4adf5f84a67",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-7(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1378",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/97fceb70-6983-42d0-9331-18ad8253184d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1379",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9442dd2c-a07f-46cd-b55a-553b66ba47ca",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1380",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4319b7e-ea8d-42ff-8a67-ccd462972827",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1381",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e5368258-9684-4567-8126-269f34e65eab",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1382",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/841392b3-40da-4473-b328-4cde49db67b3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1383",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d4558451-e16a-4d2d-a066-fe12a6282bb9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1384",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/79fbc228-461c-4a45-9004-a865ca0728a7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1385",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3e495e65-8663-49ca-9b38-9f45e800bc58",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1386",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5120193e-91fd-4f9d-bc6d-194f94734065",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1387",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3007185-3857-43a9-8237-06ca94f1084c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1388",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c7c575a-d4c5-4f6f-bd49-dee97a8cba55",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1389",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39e6fda-ae70-4891-a739-be7bba6d1062",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1390",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3b65b63-09ec-4cb5-8028-7dd324d10eb0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-9(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1391",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dd6ac1a1-660e-4810-baa8-74e868e2ed47",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-9(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1392",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86dc819f-15e1-43f9-a271-41ae58d4cecc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-9(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1393",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/731856d8-1598-4b75-92de-7d46235747c0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_IR-9(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1394",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1395",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1396",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1397",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1398",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1399",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1400",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1401",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1402",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-2(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1403",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-2(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1404",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1405",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1406",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-3(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1407",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-3(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1408",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-3(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1409",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-3(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1410",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-3(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1411",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1412",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1413",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1414",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1415",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1416",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-4(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1417",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-4(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1418",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-4(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1419",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-4(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1420",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1421",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1422",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1423",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1424",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1425",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MA-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1426",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21f639bc-f42b-46b1-8f40-7a2a389c291a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1427",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc90e44f-d83f-4bdf-900f-3d5eb4111b31",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1428",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a77fcc7-b8d8-451a-ab52-56197913c0c7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1429",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b07c9b24-729e-4e85-95fc-f224d2d08a80",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1430",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0f559588-5e53-4b14-a7c4-85d28ebc2234",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1431",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7173c52-2b99-4696-a576-63dd5f970ef4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1432",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1140e542-b80d-4048-af45-3f7245be274b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1433",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b879b41-2728-41c5-ad24-9ee2c37cbe65",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1434",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c18f06b-a68d-41c3-8863-b8cd3acb5f8f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1435",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa8d221b-d130-4637-ba16-501e666628bb",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1436",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/28aab8b4-74fd-4b7c-9080-5a7be525d574",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1437",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d1eb6ed-bf13-4046-b993-b9e2aef0f76c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-5(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1438",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40fcc635-52a2-4dbc-9523-80a1f4aa1de6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1439",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dce72873-c5f1-47c3-9b4f-6b8207fd5a45",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1440",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/881299bf-2a5b-4686-a1b2-321d33679953",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-6(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1441",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6519d7f3-e8a2-4ff3-a935-9a9497152ad7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-6(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1442",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f26049b-2c5a-4841-9ff3-d48a26aae475",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-6(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1443",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cd0ec6fa-a2e7-4361-aee4-a8688659a9ed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1444",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/666143df-f5e0-45bd-b554-135f0f93e44e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_MP-7(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1445",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32d07d59-2716-4972-b37b-214a67ac4a37",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1446",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf6850fe-abba-468e-9ef4-d09ec7d983cd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1447",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b9783a99-98fe-4a95-873f-29613309fe9a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1448",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/825d6494-e583-42f2-a3f2-6458e6f0004f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1449",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f784d3b0-5f2b-49b7-b9f3-00ba8653ced5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1450",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/134d7a13-ba3e-41e2-b236-91bfcfa24e01",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1451",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3f1e5a3-25c1-4476-8cb6-3955031f8e65",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1452",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82c76455-4d3f-4e09-a654-22e592107e74",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1453",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9693b564-3008-42bc-9d5d-9c7fe198c011",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1454",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad58985d-ab32-4f99-8bd3-b7e134c90229",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1455",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/068a88d4-e520-434e-baf0-9005a8164e6a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1456",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/733ba9e3-9e7c-440a-a7aa-6196a90a2870",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1457",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f2d9d3e6-8886-4305-865d-639163e5c305",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1458",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1459",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1460",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6f3ce1bb-4f77-4695-8355-70b08d54fdda",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1461",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aafef03e-fea8-470b-88fa-54bd1fcd7064",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1462",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9b1f3a9a-13a1-4b40-8420-36bca6fd8c02",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1463",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59721f87-ae25-4db0-a2a4-77cc5b25d495",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1464",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41256567-1795-4684-b00b-a1308ce43cac",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-6(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1465",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e6e41554-86b5-4537-9f7f-4fc41a1d1640",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-6(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1466",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d943a9c-a6f1-401f-a792-740cdb09c451",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1467",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5350cbf9-8bdd-4904-b22a-e88be84ca49d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1468",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75603f96-80a1-4757-991d-5a1221765ddd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1469",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1470",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c89ba09f-2e0f-44d0-8095-65b05bd151ef",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1471",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7dd0e9ce-1772-41fb-a50a-99977071f916",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1472",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef869332-921d-4c28-9402-3be73e6e50c8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1473",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d7047705-d719-46a7-8bb0-76ad233eba71",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1474",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/03ad326e-d7a1-44b1-9a76-e17492efc9e4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-11(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1475",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34a63848-30cf-4081-937e-ce1a1c885501",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1476",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0f3c4ac2-3e35-4906-a80b-473b12a622d7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-13"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1477",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4862a63c-6c74-4a9d-a221-89af3c374503",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-13(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1478",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f997df46-cfbb-4cc8-aac8-3fecdaf6a183",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-13(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1479",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e327b072-281d-4f75-9c28-4216e5d72f26",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-13(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1480",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18a767cc-1947-4338-a240-bc058c81164f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-14"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1481",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/717a1c78-a267-4f56-ac58-ee6c54dc4339",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-14"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1482",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9df4277e-8c88-4d5c-9b1a-541d53d15d7b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-14(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1483",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5cb81060-3c8a-4968-bcdc-395a1801f6c1",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-15"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1484",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/486b006a-3653-45e8-b41c-a052d3e05456",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-15(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1485",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50301354-95d0-4a11-8af5-8039ecf6d38b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-16"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1486",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb790345-a51f-43de-934e-98dbfaf9dca5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1487",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c3371d-c30c-4f58-abd9-30b8a8199571",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1488",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d8ef30eb-a44f-47af-8524-ac19a36d41d2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1489",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PE-18"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1490",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1491",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1492",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1493",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1494",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1495",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1496",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1497",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-2(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1498",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1499",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1500",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1501",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1502",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-4(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1503",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1504",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1505",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PL-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1506",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d2ff17-d604-4dd9-b607-9ecf63f28ad2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1507",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86ccd1bf-e7ad-4851-93ce-6ec817469c1e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1508",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/76f500cc-4bca-4583-bda1-6d084dc21086",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1509",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/70792197-9bfc-4813-905a-bd33993e327f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1510",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/79da5b09-0e7e-499e-adda-141b069c7998",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1511",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9eae324-d327-4539-9293-b48e122465f8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1512",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5a8324ad-f599-429b-aaed-f9c6e8c987a8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1513",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c416970d-b12b-49eb-8af4-fb144cd7c290",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-3(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1514",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9ed5ca00-0e43-434e-a018-7aab91461ba7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-3(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1515",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/02dd141a-a2b2-49a7-bcbd-ca31142f6211",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1516",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da3cd269-156f-435b-b472-c3af34c032ed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1517",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8f5ad423-50d6-4617-b058-69908f5586c9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1518",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d58f734-c052-40e9-8b2f-a1c2bff0b815",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1519",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2f13915a-324c-4ab8-b45c-2eefeeefb098",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1520",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f2c513b-eb16-463b-b469-c10e5fa94f0a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1521",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-4(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1522",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/38b470cc-f939-4a15-80e0-9f0c74f2e2c9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1523",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5577a310-2551-49c8-803b-36e0d5e55601",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1524",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72f1cb4e-2439-4fe8-88ea-b8671ce3c268",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1525",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9be2f688-7a61-45e3-8230-e1ec93893f66",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1526",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1527",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2823de66-332f-4bfd-94a3-3eb036cd3b67",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1528",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/deb9797c-22f8-40e8-b342-a84003c924e6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1529",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d74fdc92-1cb8-4a34-9978-8556425cd14c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1530",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e8f9566-29f1-49cd-b61f-f8628a3cf993",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1531",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0643e0c-eee5-4113-8684-c608d05c5236",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1532",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2c66299-9017-4d95-8040-8bdbf7901d52",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1533",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bba2a036-fb3b-4261-b1be-a13dfb5fbcaa",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1534",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b2b263e-cd05-4488-bcbf-4debec7a17d9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1535",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9a165d2-967d-4733-8399-1074270dae2e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_PS-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1536",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e40d9de-2ad4-4cb5-8945-23143326a502",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1537",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b19454ca-0d70-42c0-acf5-ea1c1e5726d1",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1538",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d7658b2-e827-49c3-a2ae-6d2bd0b45874",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1539",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aabb155f-e7a5-4896-a767-e918bfae2ee0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1540",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f771f8cb-6642-45cc-9a15-8a41cd5c6977",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1541",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/70f6af82-7be6-44aa-9b15-8b9231b2e434",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1542",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab340d0-3d55-4826-a0e5-feebfeb0131d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1543",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fd00b778-b5b5-49c0-a994-734ea7bd3624",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1544",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43ced7c9-cd53-456b-b0da-2522649a4271",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1545",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3f4b171a-a56b-4328-8112-32cf7f947ee1",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1546",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2ce1ea7e-4038-4e53-82f4-63e8859333c1",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1547",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1548",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3afe6c78-6124-4d95-b85c-eb8c0c9539cb",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1549",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6976a08-d969-4df2-bb38-29556c2eb48a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1550",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/902908fb-25a8-4225-a3a5-5603c80066c9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1551",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bbda922-0172-4095-89e6-5b4a0bf03af7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1552",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43684572-e4f1-4642-af35-6b933bc506da",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1553",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9e5225fe-cdfb-4fce-9aec-0fe20dd53b62",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1554",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/10984b4e-c93e-48d7-bf20-9c03b04e9eca",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1555",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5afa8cab-1ed7-4e40-884c-64e0ac2059cc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1556",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/391ff8b3-afed-405e-9f7d-ef2f8168d5da",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5(6)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1557",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36fbe499-f2f2-41b6-880e-52d7ea1d94a5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5(8)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1558",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65592b16-4367-42c5-a26e-d371be450e17",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_RA-5(10)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1559",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45692294-f074-42bd-ac54-16f1a3c07554",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1560",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e29e0915-5c2f-4d09-8806-048b749ad763",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1561",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40364c3f-c331-4e29-b1e3-2fbe998ba2f5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1562",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d4142013-7964-4163-a313-a900301c2cef",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1563",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9afe2edf-232c-4fdf-8e6a-e867a5c525fd",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1564",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/157f0ef9-143f-496d-b8f9-f8c8eeaad801",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1565",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45ce2396-5c76-4654-9737-f8792ab3d26b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1566",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50ad3724-e2ac-4716-afcc-d8eabd97adb9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1567",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e72edbf6-aa61-436d-a227-0f32b77194b3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1568",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6a8eae8-9854-495a-ac82-d2cd3eac02a6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1569",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad2f8e61-a564-4dfd-8eaa-816f5be8cb34",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1570",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7fcf38d-bb09-4600-be7d-825046eb162a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1571",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b11c985b-f2cd-4bd7-85f4-b52426edf905",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1572",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04f5fb00-80bb-48a9-a75b-4cb4d4c97c36",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1573",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/58c93053-7b98-4cf0-b99f-1beb985416c2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1574",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0f935dab-83d6-47b8-85ef-68b8584161b9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1575",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-4(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1576",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f18c885-ade3-48c5-80b1-8f9216019c18",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-4(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1577",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d922484a-8cfc-4a6b-95a4-77d6a685407f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-4(8)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1578",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45b7b644-5f91-498e-9d89-7402532d3645",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-4(9)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1579",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4e54c7ef-7457-430b-9a3e-ef8881d4a8e0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-4(10)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1580",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/854db8ac-6adf-42a0-bef3-b73f764f40b9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1581",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/742b549b-7a25-465f-b83c-ea1ffb4f4e0e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1582",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cd9e2f38-259b-462c-bfad-0ad7ab4e65c5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1583",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0882d488-8e80-4466-bc0f-0cd15b6cb66d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1584",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5864522b-ff1d-4979-a9f8-58bee1fb174c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1585",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d57f8732-5cdc-4cda-8d27-ab148e1f3a55",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1586",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e3b2fbd-8f37-4766-a64d-3f37703dcb51",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1587",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32820956-9c6d-4376-934c-05cd8525be7c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1588",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/68ebae26-e0e0-4ecb-8379-aabf633b51e9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-9"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1589",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86ec7f9b-9478-40ff-8cfd-6a0d510081a8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-9(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1590",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf296b8c-f391-4ea4-9198-be3c9d39dd1f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-9(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1591",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f751cdb7-fbee-406b-969b-815d367cb9b3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-9(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1592",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d01ba6c-289f-42fd-a408-494b355b6222",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-9(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1593",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-9(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1594",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/042ba2a1-8bb8-45f4-b080-c78cf62b90e9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1595",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e0414e7-6ef5-4182-8076-aa82fbb53341",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1596",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21e25e01-0ae0-41be-919e-04ce92b8e8b8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1597",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/68b250ec-2e4f-4eee-898a-117a9fda7016",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1598",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae7e1f5e-2d63-4b38-91ef-bce14151cce3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1599",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0004bbf0-5099-4179-869e-e9ffe5fb0945",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-10(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1600",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1601",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1602",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ddae2e97-a449-499f-a1c8-aea4a7e52ec9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1603",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b909c26-162f-47ce-8e15-0c1f55632eac",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1604",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44dbba23-0b61-478e-89c7-b3084667782f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1605",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-11(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1606",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-11(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1607",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/976a74cf-b192-4d35-8cab-2068f272addb",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-11(8)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1608",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b73b7b3b-677c-4a2a-b949-ad4dc4acd89f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1609",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9e93fa71-42ac-41a7-b177-efbfdc53c69f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-15"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1610",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b9f3fb54-4222-46a1-a308-4874061f8491",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-15"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1611",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-16"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1612",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2037b3d-8b04-4171-8610-e6d4f1d08db5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1613",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe2ad78b-8748-4bff-a924-f74dfca93f30",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1614",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8154e3b3-cc52-40be-9407-7756581d71f6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SA-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1615",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f35e02aa-0a55-49f8-8811-8abfa7e6f2c0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1616",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2006457a-48b3-4f7b-8d2e-1532287f9929",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1617",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a631d8f5-eb81-4f9d-9ee1-74431371e4a3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1618",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f52f89aa-4489-4ec4-950e-8c96a036baa9",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1619",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c722e569-cb52-45f3-a643-836547d016e1",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1620",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d17c826b-1dec-43e1-a984-7b71c446649c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1621",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cb9f731-744a-4691-a481-ca77b0411538",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1622",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ecf56554-164d-499a-8d00-206b07c27bed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1623",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/02ce1b22-412a-4528-8630-c42146f917ed",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1624",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37d079e3-d6aa-4263-a069-dd7ac6dd9684",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1625",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b9b66a4d-70a1-4b47-8fa1-289cec68c605",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1626",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8f6bddd-6d67-439a-88d4-c5fe39a79341",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1627",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fd73310d-76fc-422d-bda4-3a077149f179",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1628",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67de62b4-a737-4781-8861-3baed3c35069",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1629",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c171b095-7756-41de-8644-a062a96043f2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1630",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3643717a-3897-4bfd-8530-c7c96b26b2a0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1631",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74ae9b8e-e7bb-4c9c-992f-c535282f7a2c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1632",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ce9073a-77fa-48f0-96b1-87aa8e6091c2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1633",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/07557aa0-e02f-4460-9a81-8ecd2fed601a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7(8)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1634",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/292a7c44-37fa-4c68-af7c-9d836955ded2",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7(10)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1635",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7(12)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1636",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7b694eed-7081-43c6-867c-41c76c961043",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7(13)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1637",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4075bedc-c62a-4635-bede-a01be89807f3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7(18)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1638",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/49b99653-32cd-405d-a135-e7d60a9aae1f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7(20)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1639",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78e8e649-50f6-4fe3-99ac-fedc2e63b03f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-7(21)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1640",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/05a289ce-6a20-4b75-a0f3-dc8601b6acd0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1641",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d39d4f68-7346-4133-8841-15318a714a24",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1642",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53397227-5ee3-4b23-9e5e-c8a767ce6928",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1643",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d8d492c-dd7a-46f7-a723-fa66a425b87c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1644",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7211477-c970-446b-b4af-062f37461147",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1645",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/afbd0baf-ff1a-4447-a86f-088a97347c0c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1646",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/506814fa-b930-4b10-894e-a45b98c40e1a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-12(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1647",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/791cfc15-6974-42a0-9f4c-2d4b82f4a78c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-13"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1648",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a9eb14b-495a-4ebb-933c-ce4ef5264e32",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-15"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1649",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26d292cc-b0b8-4c29-9337-68abc758bf7b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-15"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1650",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-17"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1651",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6db63528-c9ba-491c-8a80-83e1e6977a50",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-18"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1652",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6998e84a-2d29-4e10-8962-76754d4f772d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-18"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1653",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-18"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1654",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a2ee16e-ab1f-414a-800b-d1608835862b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-19"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1655",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/121eab72-390e-4629-a7e2-6d6184f57c6b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-19"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1656",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1cb067d5-c8b5-4113-a7ee-0a493633924b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-20"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1657",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90f01329-a100-43c2-af31-098996135d2b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-20"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1658",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/063b540e-4bdc-4e7a-a569-3a42ddf22098",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-21"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1659",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35a4102f-a778-4a2e-98c2-971056288df8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-22"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1660",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/63096613-ce83-43e5-96f4-e588e8813554",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-23"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1661",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4c643c9a-1be7-4016-a5e7-e4bada052920",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-23(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1662",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/165cb91f-7ea8-4ab7-beaf-8636b98c9d15",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-24"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1663",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/60171210-6dde-40af-a144-bf2670518bfa",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1664",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2cdf6b8-9505-4619-b579-309ba72037ac",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-28(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1665",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5df3a55c-8456-44d4-941e-175f79332512",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SC-39"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1666",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12e30ee3-61e6-4509-8302-a871e8ebb91e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1667",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d61880dc-6e38-4f2a-a30c-3406a98f8220",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-1"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1668",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8fb0966e-be1d-42c3-baca-60df5c0bcc61",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1669",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48f2f62b-5743-4415-a143-288adc0e078d",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1670",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c6108469-57ee-4666-af7e-79ba61c7ae0c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1671",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c5bbef7-a316-415b-9b38-29753ce8e698",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1672",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b45fe972-904e-45a4-ac20-673ba027a301",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1673",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dff0b90d-5a6f-491c-b2f8-b90aa402d844",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1674",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/93e9e233-dd0a-4bde-aea5-1371bce0e002",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1675",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/facb66e0-1c48-478a-bed5-747a312323e1",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-2(3)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1676",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c10fb58b-56a8-489e-9ce3-7ffe24e78e4b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1677",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4a248e1e-040f-43e5-bff2-afc3a57a3923",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1678",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dd533cb0-b416-4be7-8e86-4d154824dfd7",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1679",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2cf42a28-193e-41c5-98df-7688e7ef0a88",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-3"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1680",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399cd6ee-0e18-41db-9dea-cde3bd712f38",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-3(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1681",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12623e7e-4736-4b2e-b776-c1600f35f93a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-3(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1682",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/62b638c5-29d7-404b-8d93-f21e4b1ce198",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-3(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1683",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c79fee4-88dd-44ce-bbd4-4de88948c4f8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1684",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/16bfdb59-db38-47a5-88a9-2e9371a638cf",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1685",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36b0ef30-366f-4b1b-8652-a3511df11f53",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1686",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e17085c5-0be8-4423-b39b-a52d3d1402e5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1687",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a87fc7f-301e-49f3-ba2a-4d74f424fa97",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1688",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/063c3f09-e0f0-4587-8fd5-f4276fae675f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1689",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/de901f2f-a01a-4456-97f0-33cda7966172",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1690",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2567a23-d1c3-4783-99f3-d471302a4d6b",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1691",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71475fb4-49bd-450b-a1a5-f63894c24725",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1692",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7ecda928-9df4-4dd7-8f44-641a91e470e8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4(4)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1693",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a450eba6-2efc-4a00-846a-5804a93c6b77",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1694",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/426c4ac9-ff17-49d0-acd7-a13c157081c0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4(11)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1695",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13fcf812-ec82-4eda-9b89-498de9efd620",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4(14)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1696",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69d2a238-20ab-4206-a6dc-f302bf88b1b8",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4(16)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1697",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9873db2-18ad-46b3-a11a-1a1f8cbf0335",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4(18)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1698",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/31b752c1-05a9-432a-8fce-c39b56550119",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4(19)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1699",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69c7bee8-bc19-4129-a51e-65a7b39d3e7c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4(20)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1700",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4(22)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1701",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f25bc08f-27cb-43b6-9a23-014d00700426",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4(23)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1702",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4dfc0855-92c4-4641-b155-a55ddd962362",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-4(24)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1703",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/804faf7d-b687-40f7-9f74-79e28adf4205",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1704",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d44b6fa-1134-4ea6-ad4e-9edb68f65429",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1705",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f82e3639-fa2b-4e06-a786-932d8379b972",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1706",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f475ee0e-f560-4c9b-876b-04a77460a404",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-5"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1707",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fd4a2ac8-868a-4702-a345-6c896c3361ce",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-5(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1708",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a1e2c88-13de-4959-8ee7-47e3d74f1f48",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1709",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/025992d6-7fee-4137-9bbf-2ffc39c0686c",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1710",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af2a93c8-e6dd-4c94-acdd-4a2eedfc478e",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1711",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b083a535-a66a-41ec-ba7f-f9498bf67cde",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-6"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1712",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44e543aa-41db-42aa-98eb-8a5eb1db53f0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-7"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1713",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d87c70b-5012-48e9-994b-e70dd4b8def0",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-7(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1714",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e12494fa-b81e-4080-af71-7dbacc2da0ec",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-7(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1715",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dd469ae0-71a8-4adc-aafc-de6949ca3339",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-7(5)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1716",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e54c325e-42a0-4dcf-b105-046e0f6f590f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-7(7)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1717",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-7(14)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1718",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0dced7ab-9ce5-4137-93aa-14c13e06ab17",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-7(14)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1719",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c13da9b4-fe14-4fe2-853a-5997c9d4215a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1720",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44b9a7cd-f36a-491a-a48b-6d04ae7c4221",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-8"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1721",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-8(1)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1722",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1da06bd-25b6-4127-a301-c313d6873fff",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-8(2)"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1723",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e91927a0-ac1d-44a0-95f8-5185f9dfce9f",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-10"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1724",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d07594d1-0307-4c08-94db-5d71ff31f0f6",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1725",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/afc234b5-456b-4aa5-b3e2-ce89108124cc",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-11"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1726",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baff1279-05e0-4463-9a70-8ba5de4c7aa4",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-12"
        ]
      },
      {
        "policyDefinitionReferenceId": "ACF1727",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/697175a7-9715-4e89-b98b-c6f605888fa3",
        "parameters": {},
        "groupNames": [
          "NIST_SP_800-53_R4_SI-16"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "NIST_SP_800-53_R4_AC-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-1"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(11)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(12)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-2(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-2(13)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-3"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-3(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-3(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-3(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-3(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-3(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-3(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-3(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-3(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-3(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-3(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(11)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(12)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(13)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(14)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(15)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(15)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(17)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(17)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(18)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(18)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(19)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(19)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(20)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(20)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(21)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(21)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-4(22)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-4(22)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-5"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-6(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-6(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-7"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-8"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-9"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-9(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-9(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-10"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-11"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-12"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-12(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-14"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-16"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-16(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-16(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-16(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-16(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-16(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-16(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-16(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-16(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-16(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-16(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-16(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-16(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-16(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-16(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-16(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-16(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-16(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-16(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-16(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-16(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-17(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-17(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-18"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-18(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-18(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-18(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-18(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-18(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-18(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-18(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-18(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-19"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-19(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-19(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-19(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-19(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-20"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-20(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-20(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-20(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-20(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-20(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-20(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-20(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-20(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-21"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-21(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-21(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-21(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-21(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-22"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-23",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-23"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-24",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-24"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-24(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-24(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-24(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-24(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AC-25",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AC-25"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-1"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-2"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-3"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AT-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AT-4"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-1"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-2"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-3"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-4"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-5"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-5(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-6(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-6(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-7"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-8"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-9"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-9(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-9(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-9(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-9(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-9(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-9(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-10"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-10(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-10(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-10(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-10(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-10(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-10(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-10(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-10(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-11"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-12"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-12(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-12(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-12(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-12(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-12(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-13"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-13(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-13(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-13(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-13(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-14"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-14(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-14(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-14(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-14(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-14(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-14(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-15"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-16"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-16(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-16(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_AU-16(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_AU-16(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-1"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-2"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-3"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-3(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-3(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-5"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-6"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-7"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-8"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-9"
      },
      {
        "name": "NIST_SP_800-53_R4_CA-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CA-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-1"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-2(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-2(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-3"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-3(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-3(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-3(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-3(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-4"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-5(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-5(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-6"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-7"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-7(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-7(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-7(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-7(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-8(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-8(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-9"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-10"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-10(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-10(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-11"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CM-11(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CM-11(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-1"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-2(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-2(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-3"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-4"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-6"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-7"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-7(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-7(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-7(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-7(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-8"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-8(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-8(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-8(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-8(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-9"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-9(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-9(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-9(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-9(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-9(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-9(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-9(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-10"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-10(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-10(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-10(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-10(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-10(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-10(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-11"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-12"
      },
      {
        "name": "NIST_SP_800-53_R4_CP-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_CP-13"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-1"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(11)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(12)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-2(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-2(13)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-3"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-4"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-4(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-4(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-4(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-4(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-4(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(11)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(12)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(13)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(14)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-5(15)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-5(15)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-6"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-7"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-8(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-8(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-9"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-10"
      },
      {
        "name": "NIST_SP_800-53_R4_IA-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IA-11"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-1"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-2"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-3"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-4(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-4(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-5"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-6"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-7"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-8"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-9"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-9(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-9(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_IR-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_IR-10"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-1"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-2"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-3"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-4"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-4(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-4(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-4(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-4(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-4(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-5"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-5(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-5(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-5(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-6"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MA-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MA-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-1"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-2"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-3"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-4"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-5"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-5(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-6"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-6(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-6(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-6(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-6(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-7"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-8"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_MP-8(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_MP-8(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-1"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-2"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-3"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-3(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-3(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-3(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-3(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-4"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-5"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-6"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-6(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-6(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-6(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-6(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-8"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-9"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-10"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-11"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-11(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-11(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-12"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-12(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-13"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-13(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-13(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-13(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-13(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-13(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-13(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-13(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-13(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-14"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-14(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-14(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-14(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-14(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-15"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-15(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-15(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-16"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-17"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-18"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-18(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-18(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-19"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-19(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-19(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PE-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PE-20"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-1"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-2"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-4"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-7"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-8"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PL-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PL-9"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-1"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-2"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-3"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-4"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-5"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-6"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-7"
      },
      {
        "name": "NIST_SP_800-53_R4_PS-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PS-8"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-1"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-2"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-3"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-5(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-5(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_RA-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_RA-6"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-1"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-2"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-3"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-4(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-4(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-5"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-8"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-9(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-9(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-10"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-10(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-10(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-10(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-10(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-10(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-10(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-10(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-10(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-10(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-10(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-10(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-10(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-11(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-11(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-12"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-12(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-12(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-12(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-12(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-12(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-12(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-12(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-12(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-12(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-12(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-12(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-12(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-12(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-12(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-12(11)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-12(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-12(12)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-12(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-12(13)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-12(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-12(14)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-12(15)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-12(15)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-13"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-14"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-15"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-15(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-15(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-15(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-15(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-15(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-15(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-15(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-15(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-15(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-15(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-15(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-15(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-15(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-15(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-15(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-15(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-15(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-15(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-15(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-15(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-15(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-15(11)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-16"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-17"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-17(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-17(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-17(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-17(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-17(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-17(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-17(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-17(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-17(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-17(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-17(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-17(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-17(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-17(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-18"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-18(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-18(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-18(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-18(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-19"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-19(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-19(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-19(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-19(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-19(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-19(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-19(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-19(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-20"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-21"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-21(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-21(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-22"
      },
      {
        "name": "NIST_SP_800-53_R4_SA-22(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SA-22(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-1"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-2"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-3"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-3(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-3(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-3(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-3(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-4"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-5"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-5(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-5(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-5(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-5(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-6"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(11)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(12)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(13)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(14)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(15)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(15)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(16)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(16)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(17)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(17)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(18)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(18)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(19)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(19)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(20)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(20)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(21)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(21)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(22)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(22)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-7(23)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-7(23)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-8"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-8(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-8(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-10"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-11"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-11(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-11(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-12"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-12(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-12(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-12(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-12(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-12(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-12(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-13"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-15"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-15(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-15(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-15(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-15(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-15(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-15(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-16"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-16(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-16(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-17"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-18",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-18"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-18(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-18(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-18(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-18(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-18(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-18(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-18(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-18(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-18(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-18(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-19",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-19"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-20",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-20"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-20(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-20(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-21",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-21"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-22",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-22"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-23",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-23"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-23(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-23(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-23(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-23(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-23(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-23(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-24",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-24"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-25",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-25"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-26",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-26"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-27",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-27"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-28",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-28"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-28(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-28(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-28(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-28(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-29",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-29"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-29(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-29(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-30",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-30"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-30(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-30(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-30(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-30(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-30(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-30(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-30(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-30(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-31",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-31"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-31(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-31(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-31(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-31(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-31(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-31(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-32",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-32"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-34",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-34"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-34(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-34(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-34(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-34(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-34(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-34(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-35",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-35"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-36",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-36"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-36(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-36(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-37",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-37"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-37(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-37(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-38",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-38"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-39",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-39"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-39(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-39(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-39(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-39(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-40",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-40"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-40(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-40(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-40(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-40(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-40(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-40(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-40(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-40(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-41",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-41"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-42",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-42"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-42(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-42(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-42(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-42(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-42(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-42(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-43",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-43"
      },
      {
        "name": "NIST_SP_800-53_R4_SC-44",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SC-44"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-1"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-2"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-2(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-2(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-2(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-2(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-2(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-2(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-2(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-2(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-2(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-2(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-3(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-3(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(11)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(12)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(13)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(14)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(15)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(15)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(16)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(16)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(17)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(17)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(18)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(18)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(19)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(19)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(20)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(20)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(21)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(21)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(22)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(22)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(23)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(23)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-4(24)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-4(24)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-5"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-5(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-5(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-6"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-6(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-6(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-6(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-6(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(6)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(6)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(7)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(7)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(8)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(8)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(9)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(9)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(10)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(10)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(11)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(11)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(12)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(12)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(13)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(13)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(14)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(14)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(15)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(15)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-7(16)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-7(16)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-8"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-8(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-8(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-8(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-8(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-8(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-8(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-10"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-10(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-10(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-10(2)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-10(2)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-10(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-10(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-10(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-10(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-10(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-10(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-11"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-12"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-13"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-13(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-13(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-13(3)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-13(3)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-13(4)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-13(4)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-13(5)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-13(5)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-14"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-14(1)",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-14(1)"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-15"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-16"
      },
      {
        "name": "NIST_SP_800-53_R4_SI-17",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_SI-17"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-1"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-2"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-3"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-4"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-5"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-6"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-7"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-8"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-9",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-9"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-10"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-11"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-12"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-13"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-14"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-15",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-15"
      },
      {
        "name": "NIST_SP_800-53_R4_PM-16",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NIST_SP_800-53_R4_PM-16"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f"
}
BuiltIn Regulatory Compliance False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "PCI v3.2.1:2018",
    "policyType": "BuiltIn",
    "description": "This initiative includes audit and virtual machine extension deployment policies that address a subset of PCI v3.2.1:2018 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/pciv321-init.",
    "metadata": {
      "version": "3.0.2",
      "category": "Regulatory Compliance"
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers for Guest Configuration policies",
          "description": "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "listOfResourceTypesWithDiagnosticLogsEnabled": {
        "type": "Array",
        "metadata": {
          "displayName": "List of resource types that should have resource logs enabled"
        },
        "allowedValues": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ],
        "defaultValue": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ]
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "previewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewAuditDeprecatedAccountsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewAuditExternalAccountsWithOwnerPermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewAuditExternalAccountsWithReadPermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewAuditExternalAccountsWithWritePermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmMaximumPasswordAge70Days",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ceb8dc2-559c-478b-a15b-733fbf1e3738",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmPasswordsMustBeAtLeast14Characters",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditWindowsVmShouldNotAllowPrevious24Passwords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditHttpsOnlyAccessForAnApiApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewAuditHttpsOnlyAccessForAFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewAuditHttpsOnlyAccessForAWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewAuditMaximumNumberOfOwnersForASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewAuditMinimumNumberOfOwnersForSubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewMonitorMissingEndpointProtectionInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewMonitorMissingSystemUpdatesInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewMonitorOSVulnerabilitiesInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewMonitorUnauditedSQLDatabaseInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewMonitorUnencryptedVmDisksInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "accessThroughInternetFacingEndpointShouldBeRestricted",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "previewMonitorVmVulnerabilitiesInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "auditDiagnosticSetting",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
        "parameters": {
          "listOfResourceTypes": {
            "value": "[parameters('listOfResourceTypesWithDiagnosticLogsEnabled')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "auditEnablementOfEncryptionOfAutomationAccountVariables",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "auditEnablingOfOnlySecureConnectionsToYourRedisCache",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "auditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "auditSecureTransferToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "auditSQLServerLevelAuditingSettings",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "auditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "auditUseOfClassicStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "auditUseOfClassicVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "auditTransparentDataEncryptionStatus",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "auditUnrestrictedNetworkAccessToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {}
      },
      {
        "policyDefinitionReferenceId": "auditUsageOfCustomRBACRules",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
        "parameters": {}
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "496eeda9-8f2f-4d5e-8dfd-204f0a92ed41"
}
BuiltIn Regulatory Compliance False False n/a n/a false 0 n/a
{
  "properties": {
    "displayName": "Public network access should be disabled for PAAS services",
    "policyType": "Custom",
    "description": "This policy denies creation of Azure PAAS services with exposed public endpoints.  This policy set includes the policy for the following services KeyVault, Storage accounts, AKS, Cosmos, SQL Servers, MariaDB, MySQL and Postgress. ",
    "metadata": {
      "version": "1.0.0",
      "category": "Network",
      "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
      "createdOn": "2021-01-10T20:57:40.4965118Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "parameters": {
      "CosmosPublicIpDenyEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Public network access should be disabled for CosmosDB",
          "description": "This policy denies that  Cosmos database accounts  are created with out public network access is disabled."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      },
      "MariaDBPublicIpDenyEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Public network access should be disabled for MariaDB",
          "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      },
      "MySQLPublicIpDenyEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Public network access should be disabled for MySQL",
          "description": "This policy denies creation of MySql DB accounts with exposed public endpoints"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      },
      "PostgreSQLPublicIpDenyEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Public network access should be disabled for PostgreSql",
          "description": "This policy denies creation of Postgre SQL DB accounts with exposed public endpoints"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      },
      "KeyVaultPublicIpDenyEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Public network access should be disabled for KeyVault",
          "description": "This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      },
      "SqlServerPublicIpDenyEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Public network access on Azure SQL Database should be disabled",
          "description": "This policy denies creation of Sql servers with exposed public endpoints"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      },
      "StoragePublicIpDenyEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Public network access onStorage accounts should be disabled",
          "description": "This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      },
      "AKSPublicIpDenyEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Public network access on AKS API should be disabled",
          "description": "This policy denies  the creation of  Azure Kubernetes Service non-private clusters"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "CosmosDenyPaasPublicIP",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-CosmosDB",
        "parameters": {
          "effect": {
            "value": "[parameters('CosmosPublicIpDenyEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "MariaDBDenyPaasPublicIP",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB",
        "parameters": {
          "effect": {
            "value": "[parameters('MariaDBPublicIpDenyEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "MySQLDenyPaasPublicIP",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MySQL",
        "parameters": {
          "effect": {
            "value": "[parameters('MySQLPublicIpDenyEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "PostgreSQLDenyPaasPublicIP",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-PostgreSql",
        "parameters": {
          "effect": {
            "value": "[parameters('PostgreSQLPublicIpDenyEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-KeyVault",
        "parameters": {
          "effect": {
            "value": "[parameters('KeyVaultPublicIpDenyEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "SqlServerDenyPaasPublicIP",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-Sql",
        "parameters": {
          "effect": {
            "value": "[parameters('SqlServerPublicIpDenyEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "StorageDenyPaasPublicIP",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-Storage",
        "parameters": {
          "effect": {
            "value": "[parameters('StoragePublicIpDenyEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AKSDenyPaasPublicIP",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-Aks",
        "parameters": {
          "effect": {
            "value": "[parameters('AKSPublicIpDenyEffect')]"
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicEndpoints",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "Deny-PublicEndpoints"
}
Custom Network False False Mg ESJH (ESJH) false 0 n/a
{
  "properties": {
    "displayName": "UK OFFICIAL and UK NHS",
    "policyType": "BuiltIn",
    "description": "This initiative includes audit and virtual machine extension deployment policies that address a subset of UK OFFICIAL and UK NHS controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint.",
    "metadata": {
      "version": "6.0.0",
      "category": "Regulatory Compliance"
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers for Guest Configuration policies",
          "description": "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "listOfResourceTypesWithDiagnosticLogsEnabled": {
        "type": "Array",
        "metadata": {
          "displayName": "List of resource types that should have resource logs enabled"
        },
        "allowedValues": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ],
        "defaultValue": [
          "Microsoft.AnalysisServices/servers",
          "Microsoft.ApiManagement/service",
          "Microsoft.Network/applicationGateways",
          "Microsoft.Automation/automationAccounts",
          "Microsoft.ContainerInstance/containerGroups",
          "Microsoft.ContainerRegistry/registries",
          "Microsoft.ContainerService/managedClusters",
          "Microsoft.Batch/batchAccounts",
          "Microsoft.Cdn/profiles/endpoints",
          "Microsoft.CognitiveServices/accounts",
          "Microsoft.DocumentDB/databaseAccounts",
          "Microsoft.DataFactory/factories",
          "Microsoft.DataLakeAnalytics/accounts",
          "Microsoft.DataLakeStore/accounts",
          "Microsoft.EventGrid/eventSubscriptions",
          "Microsoft.EventGrid/topics",
          "Microsoft.EventHub/namespaces",
          "Microsoft.Network/expressRouteCircuits",
          "Microsoft.Network/azureFirewalls",
          "Microsoft.HDInsight/clusters",
          "Microsoft.Devices/IotHubs",
          "Microsoft.KeyVault/vaults",
          "Microsoft.Network/loadBalancers",
          "Microsoft.Logic/integrationAccounts",
          "Microsoft.Logic/workflows",
          "Microsoft.DBforMySQL/servers",
          "Microsoft.Network/networkInterfaces",
          "Microsoft.Network/networkSecurityGroups",
          "Microsoft.DBforPostgreSQL/servers",
          "Microsoft.PowerBIDedicated/capacities",
          "Microsoft.Network/publicIPAddresses",
          "Microsoft.RecoveryServices/vaults",
          "Microsoft.Cache/redis",
          "Microsoft.Relay/namespaces",
          "Microsoft.Search/searchServices",
          "Microsoft.ServiceBus/namespaces",
          "Microsoft.SignalRService/SignalR",
          "Microsoft.Sql/servers/databases",
          "Microsoft.Sql/servers/elasticPools",
          "Microsoft.StreamAnalytics/streamingjobs",
          "Microsoft.TimeSeriesInsights/environments",
          "Microsoft.Network/trafficManagerProfiles",
          "Microsoft.Compute/virtualMachines",
          "Microsoft.Compute/virtualMachineScaleSets",
          "Microsoft.Network/virtualNetworks",
          "Microsoft.Network/virtualNetworkGateways"
        ]
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "PreviewAuditAccountsWithOwnerPermissionsWhoAreNotMfaEnabledOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_9.1",
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditAccountsWithReadPermissionsWhoAreNotMfaEnabledOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_9.1",
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditAccountsWithWritePermissionsWhoAreNotMfaEnabledOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_9.1",
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditDeprecatedAccountsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditExternalAccountsWithOwnerPermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_9.1",
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditExternalAccountsWithWritePermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_9.1",
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditExternalAccountsWithReadPermissionsOnASubscription",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_9.1",
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVmAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVmEnforcesPasswordComplexityRequirements",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVmMaximumPasswordAge70Days",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ceb8dc2-559c-478b-a15b-733fbf1e3738",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVmMinimumPasswordAge1Day",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237b38db-ca4d-4259-9e47-7882441ca2c0",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVmPasswordsMustBeAtLeast14Characters",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditWindowsVmShouldNotAllowPrevious24Passwords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditLinuxVmEtcPasswdFilePermissionsAreSetTo0644",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_5.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_5.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_5.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorPossibleAppWhitelistingInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_5.3",
          "UK_NCSC_CSP_11"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_5.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorUnauditedSQLDatabaseInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_13"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_5.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditDiagnosticSetting",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
        "parameters": {
          "listOfResourceTypes": {
            "value": "[parameters('listOfResourceTypesWithDiagnosticLogsEnabled')]"
          }
        },
        "groupNames": [
          "UK_NCSC_CSP_13"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditEnablementOfEncryptionOfAutomationAccountVariables",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditEnablingOfOnlySecureConnectionsToYourRedisCache",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_1"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditProvisioningOfAnAzureActiveDirectoryAdministratorForSQLServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSecureTransferToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_1"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_2.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUnrestrictedNetworkAccessToStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_5.3",
          "UK_NCSC_CSP_11"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUsageOfAzureActiveDirectoryForClientAuthenticationInServiceFabric",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditVMsThatDoNotUseManagedDisks",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUseOfClassicStorageAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditUseOfClassicVirtualMachines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_10"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditThatWindowsWebServersAreUsingScureCommunicationProtocols",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
            "value": "[parameters('IncludeArcMachines')]"
          }
        },
        "groupNames": [
          "UK_NCSC_CSP_1"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditAnyMissingSystemUpdatesOnVirtualMachineScaleSetsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_5.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSQLManagedInstancesWithoutAdvancedDataSecurity",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_5.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditSQLServersWithoutAdvancedDataSecurity",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_5.2",
          "UK_NCSC_CSP_13"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditVulnerabilityAssessmentShouldBeEnabledOnSQLServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_5.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditVulnerabilityAssessmentShouldBeEnabledOnSQLManagedInstances",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_5.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditOSVulnerabilitiesOnYourVirtualMachineScaleSetsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_5.2"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditVirtualMachinesWithoutDisasterRecoveryConfigured",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "PreviewAuditStandardTierOfDDoSProtectionIsEnabledForAVirtualNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_5.3"
        ]
      },
      {
        "policyDefinitionReferenceId": "MonitorUnprotectedNetworkEndpointsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_11"
        ]
      },
      {
        "policyDefinitionReferenceId": "MonitorInternetFacingVirtualMachinesForNetworkSecurityGroupTrafficHardeningRecommendations",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_11"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditTheEndpointProtectionSolutionOnVirtualMachineScaleSetsInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_11"
        ]
      },
      {
        "policyDefinitionReferenceId": "MonitorPossibleNetworkJustInTimeJITAccessInAzureSecurityCenter",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_11"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditRemoteDebuggingStateForAFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_11"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditRemoteDebuggingStateForAWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_11"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditRemoteDebuggingStateForAnAPIApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_11"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditHttpsOnlyAccessForAWebApplication",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_1"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditHttpsOnlyAccessForAFunctionApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_1"
        ]
      },
      {
        "policyDefinitionReferenceId": "AuditHttpsOnlyAccessForAnApiApp",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {},
        "groupNames": [
          "UK_NCSC_CSP_1"
        ]
      }
    ],
    "policyDefinitionGroups": [
      {
        "name": "UK_NCSC_CSP_1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_1"
      },
      {
        "name": "UK_NCSC_CSP_2.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_2.1"
      },
      {
        "name": "UK_NCSC_CSP_2.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_2.2"
      },
      {
        "name": "UK_NCSC_CSP_2.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_2.3"
      },
      {
        "name": "UK_NCSC_CSP_2.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_2.4"
      },
      {
        "name": "UK_NCSC_CSP_2.5",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_2.5"
      },
      {
        "name": "UK_NCSC_CSP_2.6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_2.6"
      },
      {
        "name": "UK_NCSC_CSP_3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_3"
      },
      {
        "name": "UK_NCSC_CSP_4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_4"
      },
      {
        "name": "UK_NCSC_CSP_5.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_5.1"
      },
      {
        "name": "UK_NCSC_CSP_5.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_5.2"
      },
      {
        "name": "UK_NCSC_CSP_5.3",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_5.3"
      },
      {
        "name": "UK_NCSC_CSP_5.4",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_5.4"
      },
      {
        "name": "UK_NCSC_CSP_6",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_6"
      },
      {
        "name": "UK_NCSC_CSP_7",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_7"
      },
      {
        "name": "UK_NCSC_CSP_8",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_8"
      },
      {
        "name": "UK_NCSC_CSP_9.1",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_9.1"
      },
      {
        "name": "UK_NCSC_CSP_9.2",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_9.2"
      },
      {
        "name": "UK_NCSC_CSP_10",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_10"
      },
      {
        "name": "UK_NCSC_CSP_11",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_11"
      },
      {
        "name": "UK_NCSC_CSP_12",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_12"
      },
      {
        "name": "UK_NCSC_CSP_13",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_13"
      },
      {
        "name": "UK_NCSC_CSP_14",
        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/UK_NCSC_CSP_14"
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/3937f550-eedd-4639-9c5e-294358be442e",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "3937f550-eedd-4639-9c5e-294358be442e"
}
BuiltIn Regulatory Compliance False False n/a n/a false 0 n/a
JSON Role Type Data hasAssignments Assignments Count Assignments
{
  "roleName": "AcrDelete",
  "type": "BuiltInRole",
  "description": "acr delete",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/artifacts/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-03-11T20:19:31.6682804Z",
  "updatedOn": "2019-03-11T20:24:38.9845104Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "AcrImageSigner",
  "type": "BuiltInRole",
  "description": "acr image signer",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/sign/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/trustedCollections/write"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-03-15T23:23:08.4038322Z",
  "updatedOn": "2021-06-23T21:07:39.6776759Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "AcrPull",
  "type": "BuiltInRole",
  "description": "acr pull",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-10-22T19:01:56.8227182Z",
  "updatedOn": "2018-11-13T23:22:03.2302457Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "AcrPush",
  "type": "BuiltInRole",
  "description": "acr push",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read",
        "Microsoft.ContainerRegistry/registries/push/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-10-29T17:52:32.5201177Z",
  "updatedOn": "2018-11-13T23:26:19.9749249Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "AcrQuarantineReader",
  "type": "BuiltInRole",
  "description": "acr quarantine data reader",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-03-16T00:27:39.9596835Z",
  "updatedOn": "2021-06-23T21:17:58.7569846Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "AcrQuarantineWriter",
  "type": "BuiltInRole",
  "description": "acr quarantine data writer",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read",
        "Microsoft.ContainerRegistry/registries/quarantine/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-03-16T00:26:37.587182Z",
  "updatedOn": "2021-07-06T20:32:00.7263755Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "AgFood Platform Service Admin",
  "type": "BuiltInRole",
  "description": "Provides admin access to AgFood Platform Service",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AgFoodPlatform/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-09-14T10:21:09.8039209Z",
  "updatedOn": "2020-09-14T10:21:09.8039209Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "AgFood Platform Service Contributor",
  "type": "BuiltInRole",
  "description": "Provides contribute access to AgFood Platform Service",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AgFoodPlatform/*/action",
        "Microsoft.AgFoodPlatform/*/read",
        "Microsoft.AgFoodPlatform/*/write"
      ],
      "notDataActions": [
        "Microsoft.AgFoodPlatform/farmers/write",
        "Microsoft.AgFoodPlatform/deletionJobs/*/write"
      ]
    }
  ],
  "createdOn": "2020-09-14T10:21:09.7239169Z",
  "updatedOn": "2021-07-19T05:45:17.7691871Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "AgFood Platform Service Reader",
  "type": "BuiltInRole",
  "description": "Provides read access to AgFood Platform Service",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AgFoodPlatform/*/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-09-14T10:21:08.913882Z",
  "updatedOn": "2020-09-14T10:21:08.913882Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "AnyBuild Builder",
  "type": "BuiltInRole",
  "description": "Basic user role for AnyBuild. This role allows listing of agent information and execution of remote build capabilities.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AnyBuild/clusters/build/write",
        "Microsoft.AnyBuild/clusters/build/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-04-20T22:07:00.4963853Z",
  "updatedOn": "2021-04-20T22:07:00.4963853Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "API Management Service Contributor",
  "type": "BuiltInRole",
  "description": "Can manage service and the APIs",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8650193Z",
  "updatedOn": "2019-02-05T21:24:17.7502607Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "API Management Service Operator Role",
  "type": "BuiltInRole",
  "description": "Can manage service but not the APIs",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/*/read",
        "Microsoft.ApiManagement/service/backup/action",
        "Microsoft.ApiManagement/service/delete",
        "Microsoft.ApiManagement/service/managedeployments/action",
        "Microsoft.ApiManagement/service/read",
        "Microsoft.ApiManagement/service/restore/action",
        "Microsoft.ApiManagement/service/updatecertificate/action",
        "Microsoft.ApiManagement/service/updatehostname/action",
        "Microsoft.ApiManagement/service/write",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.ApiManagement/service/users/keys/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2016-11-09T00:03:42.1194019Z",
  "updatedOn": "2016-11-18T23:56:25.4682649Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "API Management Service Reader Role",
  "type": "BuiltInRole",
  "description": "Read-only access to service and APIs",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/*/read",
        "Microsoft.ApiManagement/service/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.ApiManagement/service/users/keys/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2016-11-09T00:26:45.1540473Z",
  "updatedOn": "2017-01-23T23:10:34.8876776Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "App Configuration Data Owner",
  "type": "BuiltInRole",
  "description": "Allows full access to App Configuration data.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppConfiguration/configurationStores/*/read",
        "Microsoft.AppConfiguration/configurationStores/*/write",
        "Microsoft.AppConfiguration/configurationStores/*/delete"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-10-25T18:41:40.1185063Z",
  "updatedOn": "2019-10-25T18:41:40.1185063Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "App Configuration Data Reader",
  "type": "BuiltInRole",
  "description": "Allows read access to App Configuration data.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppConfiguration/configurationStores/*/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-10-25T18:45:33.7975332Z",
  "updatedOn": "2019-10-25T18:45:33.7975332Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Application Group Contributor",
  "type": "BuiltInRole",
  "description": "Contributor of the Application Group.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/applicationgroups/*",
        "Microsoft.DesktopVirtualization/hostpools/read",
        "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
        "Microsoft.DesktopVirtualization/workspaces/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-03T23:26:00.2784962Z",
  "updatedOn": "2020-12-04T23:46:35.0341772Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Application Insights Component Contributor",
  "type": "BuiltInRole",
  "description": "Can manage Application Insights components",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/generateLiveToken/read",
        "Microsoft.Insights/metricAlerts/*",
        "Microsoft.Insights/components/*",
        "Microsoft.Insights/scheduledqueryrules/*",
        "Microsoft.Insights/topology/read",
        "Microsoft.Insights/transactions/read",
        "Microsoft.Insights/webtests/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2021-01-19T19:26:12.8117169Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Application Insights Snapshot Debugger",
  "type": "BuiltInRole",
  "description": "Gives user permission to use Application Insights Snapshot Debugger features",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/components/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-04-19T21:25:12.3728747Z",
  "updatedOn": "2017-04-19T23:34:59.9511581Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Attestation Contributor",
  "type": "BuiltInRole",
  "description": "Can read write or delete the attestation provider instance",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Attestation/attestationProviders/attestation/read",
        "Microsoft.Attestation/attestationProviders/attestation/write",
        "Microsoft.Attestation/attestationProviders/attestation/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-04-19T00:24:09.3354177Z",
  "updatedOn": "2019-05-10T17:59:06.3448436Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Attestation Reader",
  "type": "BuiltInRole",
  "description": "Can read the attestation provider properties",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Attestation/attestationProviders/attestation/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-03-25T19:42:59.157671Z",
  "updatedOn": "2019-05-10T17:52:38.9036953Z",
  "createdBy": null,
  "updatedBy": "SYSTEM"
}
Builtin false false 0 n/a
{
  "roleName": "Automation Contributor",
  "type": "BuiltInRole",
  "description": "Manage azure automation resources and other resources using azure automation.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Automation/automationAccounts/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-08-09T10:18:19.1054699Z",
  "updatedOn": "2021-08-09T10:18:19.1054699Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Automation Job Operator",
  "type": "BuiltInRole",
  "description": "Create and Manage Jobs using Automation Runbooks.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read",
        "Microsoft.Automation/automationAccounts/jobs/read",
        "Microsoft.Automation/automationAccounts/jobs/resume/action",
        "Microsoft.Automation/automationAccounts/jobs/stop/action",
        "Microsoft.Automation/automationAccounts/jobs/streams/read",
        "Microsoft.Automation/automationAccounts/jobs/suspend/action",
        "Microsoft.Automation/automationAccounts/jobs/write",
        "Microsoft.Automation/automationAccounts/jobs/output/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-04-19T20:52:41.0020018Z",
  "updatedOn": "2018-08-14T22:08:48.1147327Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Automation Operator",
  "type": "BuiltInRole",
  "description": "Automation Operators are able to start, stop, suspend, and resume jobs",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read",
        "Microsoft.Automation/automationAccounts/jobs/read",
        "Microsoft.Automation/automationAccounts/jobs/resume/action",
        "Microsoft.Automation/automationAccounts/jobs/stop/action",
        "Microsoft.Automation/automationAccounts/jobs/streams/read",
        "Microsoft.Automation/automationAccounts/jobs/suspend/action",
        "Microsoft.Automation/automationAccounts/jobs/write",
        "Microsoft.Automation/automationAccounts/jobSchedules/read",
        "Microsoft.Automation/automationAccounts/jobSchedules/write",
        "Microsoft.Automation/automationAccounts/linkedWorkspace/read",
        "Microsoft.Automation/automationAccounts/read",
        "Microsoft.Automation/automationAccounts/runbooks/read",
        "Microsoft.Automation/automationAccounts/schedules/read",
        "Microsoft.Automation/automationAccounts/schedules/write",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Automation/automationAccounts/jobs/output/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-08-18T01:05:03.391613Z",
  "updatedOn": "2018-05-10T20:12:39.69782Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Automation Runbook Operator",
  "type": "BuiltInRole",
  "description": "Read Runbook properties - to be able to create Jobs of the runbook.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Automation/automationAccounts/runbooks/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-04-19T20:47:49.5640674Z",
  "updatedOn": "2017-04-25T01:00:45.6444999Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Autonomous Development Platform Data Contributor (Preview)",
  "type": "BuiltInRole",
  "description": "Grants permissions to upload and manage new Autonomous Development Platform measurements.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.AutonomousDevelopmentPlatform/accounts/*/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/discoveries/*",
        "Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/uploads/*",
        "Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/*",
        "Microsoft.AutonomousDevelopmentPlatform/accounts/measurementCollections/*"
      ],
      "notDataActions": [
        "Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/changeState/action"
      ]
    }
  ],
  "createdOn": "2020-12-15T11:30:01.7459379Z",
  "updatedOn": "2021-02-08T20:04:29.9188777Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Autonomous Development Platform Data Owner (Preview)",
  "type": "BuiltInRole",
  "description": "Grants full access to Autonomous Development Platform data.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.AutonomousDevelopmentPlatform/accounts/*/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.AutonomousDevelopmentPlatform/accounts/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-15T12:13:59.9702378Z",
  "updatedOn": "2021-02-08T16:12:28.803523Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Autonomous Development Platform Data Reader (Preview)",
  "type": "BuiltInRole",
  "description": "Grants read access to Autonomous Development Platform data.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.AutonomousDevelopmentPlatform/accounts/*/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.AutonomousDevelopmentPlatform/accounts/*/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-15T12:11:31.9843256Z",
  "updatedOn": "2021-02-08T16:16:53.0489887Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Avere Contributor",
  "type": "BuiltInRole",
  "description": "Can create and manage an Avere vFXT cluster.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/*/read",
        "Microsoft.Compute/availabilitySets/*",
        "Microsoft.Compute/proximityPlacementGroups/*",
        "Microsoft.Compute/virtualMachines/*",
        "Microsoft.Compute/disks/*",
        "Microsoft.Network/*/read",
        "Microsoft.Network/networkInterfaces/*",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/*/read",
        "Microsoft.Storage/storageAccounts/*",
        "Microsoft.Support/*",
        "Microsoft.Resources/subscriptions/resourceGroups/resources/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-03-18T20:00:58.9207889Z",
  "updatedOn": "2020-05-27T06:48:54.4896867Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Avere Operator",
  "type": "BuiltInRole",
  "description": "Used by the Avere vFXT cluster to manage the cluster",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-03-18T20:02:38.3399857Z",
  "updatedOn": "2019-03-29T00:26:37.9205875Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
  "type": "BuiltInRole",
  "description": "List cluster user credentials action.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-07-28T17:37:00.7637445Z",
  "updatedOn": "2020-07-30T18:00:32.2764334Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Azure Arc Kubernetes Admin",
  "type": "BuiltInRole",
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-06-12T20:57:06.0391177Z",
  "updatedOn": "2020-11-02T23:52:48.6202974Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Arc Kubernetes Cluster Admin",
  "type": "BuiltInRole",
  "description": "Lets you manage all resources in the cluster.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-06-12T20:55:30.9910462Z",
  "updatedOn": "2020-06-12T20:55:30.9910462Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Arc Kubernetes Viewer",
  "type": "BuiltInRole",
  "description": "Lets you view all resources in cluster/namespace, except secrets.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
        "Microsoft.Kubernetes/connectedClusters/configmaps/read",
        "Microsoft.Kubernetes/connectedClusters/endpoints/read",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
        "Microsoft.Kubernetes/connectedClusters/pods/read",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
        "Microsoft.Kubernetes/connectedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-06-12T20:51:12.8801199Z",
  "updatedOn": "2020-11-02T23:50:46.3225174Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Arc Kubernetes Writer",
  "type": "BuiltInRole",
  "description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-06-12T20:53:50.6749823Z",
  "updatedOn": "2020-11-02T23:48:04.7027508Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Connected Machine Onboarding",
  "type": "BuiltInRole",
  "description": "Can onboard Azure Connected Machines.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/write",
        "Microsoft.HybridCompute/privateLinkScopes/read",
        "Microsoft.GuestConfiguration/guestConfigurationAssignments/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-10-23T20:15:07.137287Z",
  "updatedOn": "2021-03-23T20:13:08.5139847Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Azure Connected Machine Resource Administrator",
  "type": "BuiltInRole",
  "description": "Can read, write, delete and re-onboard Azure Connected Machines.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/write",
        "Microsoft.HybridCompute/machines/delete",
        "Microsoft.HybridCompute/machines/UpgradeExtensions/action",
        "Microsoft.HybridCompute/machines/extensions/read",
        "Microsoft.HybridCompute/machines/extensions/write",
        "Microsoft.HybridCompute/machines/extensions/delete",
        "Microsoft.HybridCompute/privateLinkScopes/*",
        "Microsoft.HybridCompute/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-10-23T20:24:59.1474607Z",
  "updatedOn": "2021-06-08T18:14:40.8972223Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Azure Connected SQL Server Onboarding",
  "type": "BuiltInRole",
  "description": "Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureArcData/sqlServerInstances/read",
        "Microsoft.AzureArcData/sqlServerInstances/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-07-19T23:52:15.8885739Z",
  "updatedOn": "2021-07-19T23:52:15.8885739Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Azure Digital Twins Data Owner",
  "type": "BuiltInRole",
  "description": "Full access role for Digital Twins data-plane",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.DigitalTwins/eventroutes/*",
        "Microsoft.DigitalTwins/digitaltwins/*",
        "Microsoft.DigitalTwins/digitaltwins/commands/*",
        "Microsoft.DigitalTwins/digitaltwins/relationships/*",
        "Microsoft.DigitalTwins/models/*",
        "Microsoft.DigitalTwins/query/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-03-10T23:49:33.782193Z",
  "updatedOn": "2020-10-22T21:07:31.810841Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Digital Twins Data Reader",
  "type": "BuiltInRole",
  "description": "Read-only role for Digital Twins data-plane properties",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.DigitalTwins/digitaltwins/read",
        "Microsoft.DigitalTwins/digitaltwins/relationships/read",
        "Microsoft.DigitalTwins/eventroutes/read",
        "Microsoft.DigitalTwins/models/read",
        "Microsoft.DigitalTwins/query/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-03-10T23:48:14.7057381Z",
  "updatedOn": "2020-10-22T21:06:59.5157226Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Event Hubs Data Owner",
  "type": "BuiltInRole",
  "description": "Allows for full access to Azure Event Hubs resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-04-16T21:34:29.8656362Z",
  "updatedOn": "2019-08-21T22:58:57.7584645Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Event Hubs Data Receiver",
  "type": "BuiltInRole",
  "description": "Allows receive access to Azure Event Hubs resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/*/eventhubs/consumergroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/*/receive/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-05-10T06:25:21.1056666Z",
  "updatedOn": "2019-08-21T23:00:32.6225396Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Event Hubs Data Sender",
  "type": "BuiltInRole",
  "description": "Allows send access to Azure Event Hubs resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/*/eventhubs/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/*/send/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-05-10T06:26:12.4673714Z",
  "updatedOn": "2019-08-21T23:02:26.6155679Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Kubernetes Service Cluster Admin Role",
  "type": "BuiltInRole",
  "description": "List cluster admin credential action.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
        "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-08-15T21:38:18.5953853Z",
  "updatedOn": "2020-08-10T21:30:17.4985976Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Azure Kubernetes Service Cluster User Role",
  "type": "BuiltInRole",
  "description": "List cluster user credential action.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-08-15T22:04:53.4037241Z",
  "updatedOn": "2020-08-10T23:33:17.490167Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Azure Kubernetes Service Contributor Role",
  "type": "BuiltInRole",
  "description": "Grants access to read and write Azure Kubernetes Service clusters",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.ContainerService/managedClusters/write",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-02-27T19:27:15.073997Z",
  "updatedOn": "2020-02-28T02:34:14.5162305Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Azure Kubernetes Service RBAC Admin",
  "type": "BuiltInRole",
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": [
        "Microsoft.ContainerService/managedClusters/resourcequotas/write",
        "Microsoft.ContainerService/managedClusters/resourcequotas/delete",
        "Microsoft.ContainerService/managedClusters/namespaces/write",
        "Microsoft.ContainerService/managedClusters/namespaces/delete"
      ]
    }
  ],
  "createdOn": "2020-07-02T17:50:30.4020311Z",
  "updatedOn": "2020-07-02T17:50:30.4020311Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Kubernetes Service RBAC Cluster Admin",
  "type": "BuiltInRole",
  "description": "Lets you manage all resources in the cluster.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-07-02T17:47:24.4071415Z",
  "updatedOn": "2020-07-02T17:47:24.4071415Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Kubernetes Service RBAC Reader",
  "type": "BuiltInRole",
  "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/apps/deployments/read",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/read",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/read",
        "Microsoft.ContainerService/managedClusters/configmaps/read",
        "Microsoft.ContainerService/managedClusters/endpoints/read",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/read",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/read",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
        "Microsoft.ContainerService/managedClusters/pods/read",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/read",
        "Microsoft.ContainerService/managedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-07-02T17:53:05.5728294Z",
  "updatedOn": "2020-10-22T16:08:11.1332215Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Kubernetes Service RBAC Writer",
  "type": "BuiltInRole",
  "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/apps/deployments/*",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/*",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
        "Microsoft.ContainerService/managedClusters/batch/jobs/*",
        "Microsoft.ContainerService/managedClusters/configmaps/*",
        "Microsoft.ContainerService/managedClusters/endpoints/*",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/read",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/*",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
        "Microsoft.ContainerService/managedClusters/pods/*",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/secrets/*",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/*",
        "Microsoft.ContainerService/managedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-07-02T17:54:51.9644983Z",
  "updatedOn": "2020-10-22T16:10:35.0181117Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Maps Data Contributor",
  "type": "BuiltInRole",
  "description": "Grants access to read, write, and delete access to map related data from an Azure maps account.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Maps/accounts/*/read",
        "Microsoft.Maps/accounts/*/write",
        "Microsoft.Maps/accounts/*/delete"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-05-07T20:55:05.064541Z",
  "updatedOn": "2020-05-07T20:55:05.064541Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Maps Data Reader",
  "type": "BuiltInRole",
  "description": "Grants access to read map related data from an Azure maps account.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Maps/accounts/*/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-10-05T19:47:03.472307Z",
  "updatedOn": "2020-04-28T22:33:41.7780319Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Relay Listener",
  "type": "BuiltInRole",
  "description": "Allows for listen access to Azure Relay resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Relay/*/wcfRelays/read",
        "Microsoft.Relay/*/hybridConnections/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Relay/*/listen/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-07-20T18:38:03.1437496Z",
  "updatedOn": "2021-07-20T18:38:03.1437496Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Relay Owner",
  "type": "BuiltInRole",
  "description": "Allows for full access to Azure Relay resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Relay/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Relay/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-07-20T15:44:26.3023126Z",
  "updatedOn": "2021-07-20T15:44:26.3023126Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Relay Sender",
  "type": "BuiltInRole",
  "description": "Allows for send access to Azure Relay resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Relay/*/wcfRelays/read",
        "Microsoft.Relay/*/hybridConnections/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Relay/*/send/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-07-20T15:37:20.7558643Z",
  "updatedOn": "2021-07-20T18:08:09.2066765Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Sentinel Automation Contributor",
  "type": "BuiltInRole",
  "description": "Azure Sentinel Automation Contributor",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Logic/workflows/triggers/read",
        "Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Logic/workflows/runs/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-01-24T08:50:52.0382991Z",
  "updatedOn": "2021-01-25T19:48:16.7893833Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Azure Sentinel Contributor",
  "type": "BuiltInRole",
  "description": "Azure Sentinel Contributor",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/*",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.Insights/workbooks/*",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-08-28T16:39:03.8725173Z",
  "updatedOn": "2021-08-05T09:20:15.7627729Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Azure Sentinel Reader",
  "type": "BuiltInRole",
  "description": "Azure Sentinel Reader",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*/read",
        "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
        "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/LinkedServices/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/read",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.Insights/workbooks/read",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-08-28T16:58:50.1132117Z",
  "updatedOn": "2021-08-05T09:13:41.1184737Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Azure Sentinel Responder",
  "type": "BuiltInRole",
  "description": "Azure Sentinel Responder",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*/read",
        "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
        "Microsoft.SecurityInsights/automationRules/*",
        "Microsoft.SecurityInsights/cases/*",
        "Microsoft.SecurityInsights/incidents/*",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
        "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/read",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.Insights/workbooks/read",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/cases/*/Delete",
        "Microsoft.SecurityInsights/incidents/*/Delete"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-08-28T16:54:07.6467264Z",
  "updatedOn": "2021-08-05T09:17:29.2659897Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Azure Service Bus Data Owner",
  "type": "BuiltInRole",
  "description": "Allows for full access to Azure Service Bus resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-04-16T21:33:36.7445745Z",
  "updatedOn": "2019-08-21T22:47:11.3982905Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Service Bus Data Receiver",
  "type": "BuiltInRole",
  "description": "Allows for receive access to Azure Service Bus resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*/queues/read",
        "Microsoft.ServiceBus/*/topics/read",
        "Microsoft.ServiceBus/*/topics/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*/receive/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-05-10T06:43:01.6343849Z",
  "updatedOn": "2019-08-21T22:55:24.3423558Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Service Bus Data Sender",
  "type": "BuiltInRole",
  "description": "Allows for send access to Azure Service Bus resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*/queues/read",
        "Microsoft.ServiceBus/*/topics/read",
        "Microsoft.ServiceBus/*/topics/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*/send/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-05-10T06:43:46.7046934Z",
  "updatedOn": "2019-08-21T22:57:12.2555683Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Spring Cloud Data Reader",
  "type": "BuiltInRole",
  "description": "Allow read access to Azure Spring Cloud Data",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/*/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-03-25T11:12:12.678601Z",
  "updatedOn": "2021-03-25T11:15:24.6631615Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Azure Stack Registration Owner",
  "type": "BuiltInRole",
  "description": "Lets you manage Azure Stack registrations.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStack/edgeSubscriptions/read",
        "Microsoft.AzureStack/registrations/products/*/action",
        "Microsoft.AzureStack/registrations/products/read",
        "Microsoft.AzureStack/registrations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-11-13T23:42:06.2161827Z",
  "updatedOn": "2020-06-29T22:11:17.0759529Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "AzureML Data Scientist",
  "type": "BuiltInRole",
  "description": "Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.MachineLearningServices/workspaces/*/read",
        "Microsoft.MachineLearningServices/workspaces/*/action",
        "Microsoft.MachineLearningServices/workspaces/*/delete",
        "Microsoft.MachineLearningServices/workspaces/*/write"
      ],
      "notActions": [
        "Microsoft.MachineLearningServices/workspaces/delete",
        "Microsoft.MachineLearningServices/workspaces/write",
        "Microsoft.MachineLearningServices/workspaces/computes/*/write",
        "Microsoft.MachineLearningServices/workspaces/computes/*/delete",
        "Microsoft.MachineLearningServices/workspaces/computes/listKeys/action",
        "Microsoft.MachineLearningServices/workspaces/listKeys/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-07-14T21:51:06.0361218Z",
  "updatedOn": "2021-07-14T21:51:06.0361218Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "AzureML Metrics Writer (preview)",
  "type": "BuiltInRole",
  "description": "Lets you write metrics to AzureML workspace",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.MachineLearningServices/workspaces/metrics/*/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-10-27T16:55:19.566495Z",
  "updatedOn": "2020-10-28T19:17:09.2941184Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Backup Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage backup service,but can't create vaults and give access to others",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/locations/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
        "Microsoft.RecoveryServices/Vaults/backupJobs/*",
        "Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
        "Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectedItems/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*",
        "Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*",
        "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
        "Microsoft.RecoveryServices/Vaults/certificates/*",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/*",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
        "Microsoft.RecoveryServices/Vaults/usages/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
        "Microsoft.RecoveryServices/Vaults/backupconfig/*",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
        "Microsoft.RecoveryServices/Vaults/write",
        "Microsoft.RecoveryServices/Vaults/backupOperations/read",
        "Microsoft.RecoveryServices/Vaults/backupEngines/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
        "Microsoft.RecoveryServices/locations/backupStatus/action",
        "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
        "Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
        "Microsoft.RecoveryServices/operations/read",
        "Microsoft.RecoveryServices/locations/operationStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
        "Microsoft.Support/*",
        "Microsoft.DataProtection/locations/getBackupStatus/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/write",
        "Microsoft.DataProtection/backupVaults/backupInstances/delete",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
        "Microsoft.DataProtection/backupVaults/backupPolicies/write",
        "Microsoft.DataProtection/backupVaults/backupPolicies/delete",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
        "Microsoft.DataProtection/backupVaults/write",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/operationResults/read",
        "Microsoft.DataProtection/locations/checkNameAvailability/action",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/locations/operationStatus/read",
        "Microsoft.DataProtection/locations/operationResults/read",
        "Microsoft.DataProtection/backupVaults/validateForBackup/action",
        "Microsoft.DataProtection/providers/operations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-01-03T13:12:15.7321344Z",
  "updatedOn": "2021-06-14T09:45:09.5641727Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Backup Operator",
  "type": "BuiltInRole",
  "description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action",
        "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
        "Microsoft.RecoveryServices/Vaults/backupJobs/*",
        "Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
        "Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
        "Microsoft.RecoveryServices/Vaults/certificates/write",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/write",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/write",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
        "Microsoft.RecoveryServices/Vaults/backupOperations/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action",
        "Microsoft.RecoveryServices/Vaults/backupEngines/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
        "Microsoft.RecoveryServices/locations/backupStatus/action",
        "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
        "Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
        "Microsoft.RecoveryServices/locations/backupAadProperties/read",
        "Microsoft.RecoveryServices/locations/backupCrrJobs/action",
        "Microsoft.RecoveryServices/locations/backupCrrJob/action",
        "Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action",
        "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
        "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
        "Microsoft.RecoveryServices/operations/read",
        "Microsoft.RecoveryServices/locations/operationStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
        "Microsoft.Support/*",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/operationResults/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/locations/operationStatus/read",
        "Microsoft.DataProtection/locations/operationResults/read",
        "Microsoft.DataProtection/providers/operations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-01-03T13:21:11.894764Z",
  "updatedOn": "2021-06-14T09:44:30.3420995Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Backup Reader",
  "type": "BuiltInRole",
  "description": "Can view backup services, but can't make changes",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.RecoveryServices/locations/allocatedStamp/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupJobs/read",
        "Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
        "Microsoft.RecoveryServices/Vaults/backupOperationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/Vaults/backupstorageconfig/read",
        "Microsoft.RecoveryServices/Vaults/backupconfig/read",
        "Microsoft.RecoveryServices/Vaults/backupOperations/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
        "Microsoft.RecoveryServices/Vaults/backupEngines/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
        "Microsoft.RecoveryServices/locations/backupStatus/action",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
        "Microsoft.RecoveryServices/operations/read",
        "Microsoft.RecoveryServices/locations/operationStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
        "Microsoft.RecoveryServices/locations/backupCrrJobs/action",
        "Microsoft.RecoveryServices/locations/backupCrrJob/action",
        "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
        "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
        "Microsoft.DataProtection/locations/getBackupStatus/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/write",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/operationResults/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/locations/operationStatus/read",
        "Microsoft.DataProtection/locations/operationResults/read",
        "Microsoft.DataProtection/backupVaults/validateForBackup/action",
        "Microsoft.DataProtection/providers/operations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-01-03T13:18:41.3893065Z",
  "updatedOn": "2021-06-10T06:11:04.3823975Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Billing Reader",
  "type": "BuiltInRole",
  "description": "Allows read access to billing data",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Billing/*/read",
        "Microsoft.Commerce/*/read",
        "Microsoft.Consumption/*/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.CostManagement/*/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-04-25T02:13:38.9054151Z",
  "updatedOn": "2018-09-26T17:45:09.2227236Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "BizTalk Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage BizTalk services, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.BizTalkServices/BizTalk/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2019-02-05T20:42:18.897821Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Blockchain Member Node Access (Preview)",
  "type": "BuiltInRole",
  "description": "Allows for access to Blockchain Member nodes",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Blockchain/blockchainMembers/transactionNodes/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Blockchain/blockchainMembers/transactionNodes/connect/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-12-21T10:33:01.9604839Z",
  "updatedOn": "2018-12-21T10:33:58.0042162Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Blueprint Contributor",
  "type": "BuiltInRole",
  "description": "Can manage blueprint definitions, but not assign them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Blueprint/blueprints/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-08-14T21:55:16.9683949Z",
  "updatedOn": "2019-08-17T00:10:55.7494677Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Blueprint Operator",
  "type": "BuiltInRole",
  "description": "Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Blueprint/blueprintAssignments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-08-14T21:56:48.7897875Z",
  "updatedOn": "2019-08-17T00:06:02.6509737Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "CDN Endpoint Contributor",
  "type": "BuiltInRole",
  "description": "Can manage CDN endpoints, but can’t grant access to other users.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/endpoints/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2016-01-23T02:48:46.4996252Z",
  "updatedOn": "2016-05-31T23:13:52.6231539Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "CDN Endpoint Reader",
  "type": "BuiltInRole",
  "description": "Can view CDN endpoints, but can’t make changes.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/endpoints/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2016-01-23T02:48:46.4996252Z",
  "updatedOn": "2016-05-31T23:13:53.1585846Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "CDN Profile Contributor",
  "type": "BuiltInRole",
  "description": "Can manage CDN profiles and their endpoints, but can’t grant access to other users.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2016-01-23T02:48:46.4996252Z",
  "updatedOn": "2016-05-31T23:13:53.7051278Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "CDN Profile Reader",
  "type": "BuiltInRole",
  "description": "Can view CDN profiles and their endpoints, but can’t make changes.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2016-01-23T02:48:46.4996252Z",
  "updatedOn": "2016-05-31T23:13:54.2283001Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Classic Network Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage classic networks, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicNetwork/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2019-02-05T21:24:39.7576926Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Classic Storage Account Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage classic storage accounts, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicStorage/storageAccounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2019-02-05T21:24:30.8964641Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Classic Storage Account Key Operator Service Role",
  "type": "BuiltInRole",
  "description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ClassicStorage/storageAccounts/listkeys/action",
        "Microsoft.ClassicStorage/storageAccounts/regeneratekey/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-04-13T18:22:52.14611Z",
  "updatedOn": "2017-04-13T20:54:03.0505986Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Classic Virtual Machine Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they’re connected to.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicCompute/domainNames/*",
        "Microsoft.ClassicCompute/virtualMachines/*",
        "Microsoft.ClassicNetwork/networkSecurityGroups/join/action",
        "Microsoft.ClassicNetwork/reservedIps/link/action",
        "Microsoft.ClassicNetwork/reservedIps/read",
        "Microsoft.ClassicNetwork/virtualNetworks/join/action",
        "Microsoft.ClassicNetwork/virtualNetworks/read",
        "Microsoft.ClassicStorage/storageAccounts/disks/read",
        "Microsoft.ClassicStorage/storageAccounts/images/read",
        "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
        "Microsoft.ClassicStorage/storageAccounts/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-04-25T00:37:56.5416086Z",
  "updatedOn": "2019-02-05T21:24:43.0770473Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "ClearDB MySQL DB Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage ClearDB MySQL databases, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "successbricks.cleardb/databases/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2019-02-05T20:42:23.2893077Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "CodeSigning Certificate Profile Signer",
  "type": "BuiltInRole",
  "description": "Sign files with a certificate profile. This role is in preview and subject to change.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CodeSigning/certificateProfiles/Sign/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-08-16T23:17:53.0002693Z",
  "updatedOn": "2021-08-16T23:17:53.0002693Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Cognitive Services Contributor",
  "type": "BuiltInRole",
  "description": "Lets you create, read, update, delete and manage keys of Cognitive Services.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.CognitiveServices/*",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.Features/providers/features/register/action",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Insights/logDefinitions/read",
        "Microsoft.Insights/metricdefinitions/read",
        "Microsoft.Insights/metrics/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-08-08T23:18:39.2257848Z",
  "updatedOn": "2021-08-03T17:25:27.6686322Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Cognitive Services Custom Vision Contributor",
  "type": "BuiltInRole",
  "description": "Full access to the project, including the ability to view, create, edit, or delete projects.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-05-08T23:47:07.0779345Z",
  "updatedOn": "2020-05-08T23:47:07.0779345Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Cognitive Services Custom Vision Deployment",
  "type": "BuiltInRole",
  "description": "Publish, unpublish or export models. Deployment can view the project but can’t update.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*/read",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/classify/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/detect/*"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "createdOn": "2020-05-09T01:31:05.952862Z",
  "updatedOn": "2020-05-09T01:31:05.952862Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Cognitive Services Custom Vision Labeler",
  "type": "BuiltInRole",
  "description": "View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can’t update anything other than training images and tags.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*/read",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "createdOn": "2020-05-09T01:33:20.8278896Z",
  "updatedOn": "2020-05-09T01:33:20.8278896Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Cognitive Services Custom Vision Reader",
  "type": "BuiltInRole",
  "description": "Read-only actions in the project. Readers can’t create or update the project.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*/read",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "createdOn": "2020-05-09T01:34:18.5328818Z",
  "updatedOn": "2020-05-09T01:34:18.5328818Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Cognitive Services Custom Vision Trainer",
  "type": "BuiltInRole",
  "description": "View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can’t create or delete the project.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/action",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/delete",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "createdOn": "2020-05-09T01:35:13.8147804Z",
  "updatedOn": "2020-05-09T01:35:13.8147804Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Cognitive Services Data Reader (Preview)",
  "type": "BuiltInRole",
  "description": "Lets you read Cognitive Services data.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-02-13T20:02:12.6849986Z",
  "updatedOn": "2019-02-13T22:53:55.167529Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Cognitive Services Face Recognizer",
  "type": "BuiltInRole",
  "description": "Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/Face/detect/action",
        "Microsoft.CognitiveServices/accounts/Face/verify/action",
        "Microsoft.CognitiveServices/accounts/Face/identify/action",
        "Microsoft.CognitiveServices/accounts/Face/group/action",
        "Microsoft.CognitiveServices/accounts/Face/findsimilars/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-03-31T01:51:41.3557295Z",
  "updatedOn": "2021-03-31T01:51:41.3557295Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Cognitive Services Metrics Advisor Administrator",
  "type": "BuiltInRole",
  "description": "Full access to the project, including the system level configuration.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/MetricsAdvisor/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-09-10T07:46:47.5804491Z",
  "updatedOn": "2020-09-16T12:07:16.3975746Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Cognitive Services Metrics Advisor User",
  "type": "BuiltInRole",
  "description": "Access to the project.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/MetricsAdvisor/*"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/MetricsAdvisor/stats/*"
      ]
    }
  ],
  "createdOn": "2020-09-10T07:47:59.6195639Z",
  "updatedOn": "2020-09-16T12:06:29.1731967Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Cognitive Services QnA Maker Editor",
  "type": "BuiltInRole",
  "description": "Let’s you create, edit, import and export a KB. You cannot publish or delete a KB.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/operations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-12-17T18:27:30.6434556Z",
  "updatedOn": "2021-03-11T06:28:27.6422359Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Cognitive Services QnA Maker Reader",
  "type": "BuiltInRole",
  "description": "Let’s you read and test a KB only.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-12-17T18:26:12.3329439Z",
  "updatedOn": "2021-03-11T06:28:58.342704Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Cognitive Services Speech Contributor",
  "type": "BuiltInRole",
  "description": "Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/SpeechServices/*",
        "Microsoft.CognitiveServices/accounts/CustomVoice/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-03-30T11:28:49.7826633Z",
  "updatedOn": "2021-07-29T07:27:43.0939694Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Cognitive Services Speech User",
  "type": "BuiltInRole",
  "description": "Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can’t create, delete or modify the data/test/model/endpoint for custom models.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/SpeechServices/*/read",
        "Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/write",
        "Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/delete",
        "Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/read",
        "Microsoft.CognitiveServices/accounts/SpeechServices/*/frontend/action",
        "Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/*/action",
        "Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/*/action",
        "Microsoft.CognitiveServices/accounts/CustomVoice/*/read",
        "Microsoft.CognitiveServices/accounts/CustomVoice/evaluations/*",
        "Microsoft.CognitiveServices/accounts/CustomVoice/longaudiosynthesis/*"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVoice/trainingsets/files/read",
        "Microsoft.CognitiveServices/accounts/CustomVoice/datasets/files/read",
        "Microsoft.CognitiveServices/accounts/CustomVoice/trainingsets/utterances/read"
      ]
    }
  ],
  "createdOn": "2021-03-30T11:28:27.4339032Z",
  "updatedOn": "2021-07-29T07:29:04.3756627Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Cognitive Services User",
  "type": "BuiltInRole",
  "description": "Lets you read and list keys of Cognitive Services.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read",
        "Microsoft.CognitiveServices/accounts/listkeys/action",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.Insights/logDefinitions/read",
        "Microsoft.Insights/metricdefinitions/read",
        "Microsoft.Insights/metrics/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-08-08T23:23:43.7701274Z",
  "updatedOn": "2019-02-13T19:53:56.7209248Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Collaborative Data Contributor",
  "type": "BuiltInRole",
  "description": "Can manage data packages of a collaborative.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.IndustryDataLifecycle/custodianCollaboratives/*/read",
        "Microsoft.IndustryDataLifecycle/memberCollaboratives/*/read",
        "Microsoft.IndustryDataLifecycle/locations/dataPackages/*",
        "Microsoft.IndustryDataLifecycle/custodianCollaboratives/receivedDataPackages/*",
        "Microsoft.IndustryDataLifecycle/custodianCollaboratives/rejectDataPackage/action",
        "Microsoft.IndustryDataLifecycle/memberCollaboratives/sharedDataPackages/*",
        "Microsoft.IndustryDataLifecycle/custodianCollaboratives/dataModels/*",
        "Microsoft.IndustryDataLifecycle/custodianCollaboratives/auditLogs/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-08-14T11:58:31.8973556Z",
  "updatedOn": "2021-03-17T06:19:53.4915361Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Collaborative Runtime Operator",
  "type": "BuiltInRole",
  "description": "Can manage resources created by AICS at runtime",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.IndustryDataLifecycle/derivedModels/*",
        "Microsoft.IndustryDataLifecycle/pipelineSets/*",
        "Microsoft.IndustryDataLifecycle/modelMappings/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-01-19T10:00:27.3464971Z",
  "updatedOn": "2021-04-26T06:26:59.0344457Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Contributor",
  "type": "BuiltInRole",
  "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [
        "Microsoft.Authorization/*/Delete",
        "Microsoft.Authorization/*/Write",
        "Microsoft.Authorization/elevateAccess/Action",
        "Microsoft.Blueprint/blueprintAssignments/write",
        "Microsoft.Blueprint/blueprintAssignments/delete",
        "Microsoft.Compute/galleries/share/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2020-12-04T00:34:54.8501087Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false true 1 /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourceGroups/NSG/providers/Microsoft.Authorization/roleAssignments/1fe0074e-959c-4d3e-9478-9dc99a34062a
{
  "roleName": "Cosmos DB Account Reader Role",
  "type": "BuiltInRole",
  "description": "Can read Azure Cosmos DB Accounts data",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.DocumentDB/*/read",
        "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
        "Microsoft.Insights/MetricDefinitions/read",
        "Microsoft.Insights/Metrics/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-10-30T17:53:54.6005577Z",
  "updatedOn": "2018-02-21T01:36:59.6186231Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Cosmos DB Operator",
  "type": "BuiltInRole",
  "description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.DocumentDb/databaseAccounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
      ],
      "notActions": [
        "Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*",
        "Microsoft.DocumentDB/databaseAccounts/regenerateKey/*",
        "Microsoft.DocumentDB/databaseAccounts/listKeys/*",
        "Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-04-26T17:01:17.0169383Z",
  "updatedOn": "2021-02-25T21:29:52.2924071Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "CosmosBackupOperator",
  "type": "BuiltInRole",
  "description": "Can submit restore request for a Cosmos DB database or a container for an account",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.DocumentDB/databaseAccounts/backup/action",
        "Microsoft.DocumentDB/databaseAccounts/restore/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-12-07T19:47:14.965156Z",
  "updatedOn": "2018-12-07T19:52:21.9969834Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "CosmosRestoreOperator",
  "type": "BuiltInRole",
  "description": "Can perform restore action for Cosmos DB database account with continuous backup mode",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",
        "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",
        "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-01-21T19:51:35.3884884Z",
  "updatedOn": "2021-01-23T01:40:20.9862312Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Cost Management Contributor",
  "type": "BuiltInRole",
  "description": "Can view costs and manage cost configuration (e.g. budgets, exports)",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Consumption/*",
        "Microsoft.CostManagement/*",
        "Microsoft.Billing/billingPeriods/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Advisor/configurations/read",
        "Microsoft.Advisor/recommendations/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Billing/billingProperty/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-03-14T16:09:22.8834827Z",
  "updatedOn": "2020-12-07T19:54:47.1563148Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Cost Management Reader",
  "type": "BuiltInRole",
  "description": "Can view cost data and configuration (e.g. budgets, exports)",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Consumption/*/read",
        "Microsoft.CostManagement/*/read",
        "Microsoft.Billing/billingPeriods/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Advisor/configurations/read",
        "Microsoft.Advisor/recommendations/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Billing/billingProperty/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-03-14T16:09:22.8834827Z",
  "updatedOn": "2020-12-07T19:53:58.6391267Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "properties": {
    "roleName": "CustRole_P_9982_176",
    "type": "CustomRole",
    "description": "Testing procedure 9982_176",
    "assignableScopes": [
      "/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466"
    ],
    "permissions": [
      {
        "actions": [
          "*"
        ],
        "notActions": [
          "Microsoft.Authorization/*/Delete",
          "Microsoft.Authorization/*/Write",
          "Microsoft.Authorization/elevateAccess/Action",
          "Microsoft.Blueprint/blueprintAssignments/delete"
        ]
      }
    ],
    "createdOn": "2021-05-18T18:03:13.3689603Z",
    "updatedOn": "2021-05-18T18:23:40.930248Z",
    "createdBy": "acf4c68f-7b15-4d70-935b-26116fc2426a",
    "updatedBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149"
  },
  "id": "/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/providers/Microsoft.Authorization/roleDefinitions/6b44d6da-5658-444e-a36d-ce64b14011ab",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "6b44d6da-5658-444e-a36d-ce64b14011ab"
}
Custom false false 0 n/a
{
  "properties": {
    "roleName": "CustRole_P_9982_178",
    "type": "CustomRole",
    "description": "test role P_9982_178",
    "assignableScopes": [
      "/subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f",
      "/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466"
    ],
    "permissions": [
      {
        "actions": [
          "*"
        ],
        "notActions": [
          "Microsoft.Authorization/*/Write",
          "Microsoft.Authorization/elevateAccess/Action",
          "Microsoft.Blueprint/blueprintAssignments/write",
          "Microsoft.Blueprint/blueprintAssignments/delete",
          "Microsoft.Compute/galleries/share/action"
        ]
      }
    ],
    "createdOn": "2021-06-16T10:10:06.4648517Z",
    "updatedOn": "2021-06-16T10:10:06.4648517Z",
    "createdBy": "acf4c68f-7b15-4d70-935b-26116fc2426a",
    "updatedBy": "acf4c68f-7b15-4d70-935b-26116fc2426a"
  },
  "id": "/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/providers/Microsoft.Authorization/roleDefinitions/fc14b032-e6e8-440b-a328-f55918e8c83e",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "fc14b032-e6e8-440b-a328-f55918e8c83e"
}
Custom false false 0 n/a
{
  "roleName": "Data Box Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage everything under Data Box Service except giving access to others.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Databox/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-07-27T08:28:42.714021Z",
  "updatedOn": "2018-07-27T08:36:56.3827309Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Data Box Reader",
  "type": "BuiltInRole",
  "description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Databox/*/read",
        "Microsoft.Databox/jobs/listsecrets/action",
        "Microsoft.Databox/jobs/listcredentials/action",
        "Microsoft.Databox/locations/availableSkus/action",
        "Microsoft.Databox/locations/validateInputs/action",
        "Microsoft.Databox/locations/regionConfiguration/action",
        "Microsoft.Databox/locations/validateAddress/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-07-27T08:26:21.9284772Z",
  "updatedOn": "2020-01-24T05:39:52.6143537Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Data Factory Contributor",
  "type": "BuiltInRole",
  "description": "Create and manage data factories, as well as child resources within them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.DataFactory/dataFactories/*",
        "Microsoft.DataFactory/factories/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.EventGrid/eventSubscriptions/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2020-02-14T19:49:21.5789216Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Data Lake Analytics Developer",
  "type": "BuiltInRole",
  "description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.BigAnalytics/accounts/*",
        "Microsoft.DataLakeAnalytics/accounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.BigAnalytics/accounts/Delete",
        "Microsoft.BigAnalytics/accounts/TakeOwnership/action",
        "Microsoft.BigAnalytics/accounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/Delete",
        "Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action",
        "Microsoft.DataLakeAnalytics/accounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete",
        "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete",
        "Microsoft.DataLakeAnalytics/accounts/firewallRules/Write",
        "Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete",
        "Microsoft.DataLakeAnalytics/accounts/computePolicies/Write",
        "Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-10-20T00:33:29.3115234Z",
  "updatedOn": "2017-08-18T00:00:17.0411642Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Data Purger",
  "type": "BuiltInRole",
  "description": "Can purge analytics data",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Insights/components/*/read",
        "Microsoft.Insights/components/purge/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/purge/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-04-30T22:39:49.61677Z",
  "updatedOn": "2018-04-30T22:44:15.1171162Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Desktop Virtualization Application Group Contributor",
  "type": "BuiltInRole",
  "description": "Contributor of the Desktop Virtualization Application Group.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/applicationgroups/*",
        "Microsoft.DesktopVirtualization/hostpools/read",
        "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-11T21:41:38.6205531Z",
  "updatedOn": "2020-12-11T21:41:38.6205531Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Desktop Virtualization Application Group Reader",
  "type": "BuiltInRole",
  "description": "Reader of the Desktop Virtualization Application Group.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/applicationgroups/*/read",
        "Microsoft.DesktopVirtualization/applicationgroups/read",
        "Microsoft.DesktopVirtualization/hostpools/read",
        "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-11T21:41:18.0287398Z",
  "updatedOn": "2020-12-11T21:41:18.0287398Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Desktop Virtualization Contributor",
  "type": "BuiltInRole",
  "description": "Contributor of Desktop Virtualization.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-11T21:37:16.2910337Z",
  "updatedOn": "2020-12-11T21:37:16.2910337Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Desktop Virtualization Host Pool Contributor",
  "type": "BuiltInRole",
  "description": "Contributor of the Desktop Virtualization Host Pool.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/hostpools/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-11T21:40:57.2976187Z",
  "updatedOn": "2020-12-11T21:40:57.2976187Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Desktop Virtualization Host Pool Reader",
  "type": "BuiltInRole",
  "description": "Reader of the Desktop Virtualization Host Pool.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/hostpools/*/read",
        "Microsoft.DesktopVirtualization/hostpools/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-11T21:40:33.1430834Z",
  "updatedOn": "2020-12-11T21:40:33.1430834Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Desktop Virtualization Reader",
  "type": "BuiltInRole",
  "description": "Reader of Desktop Virtualization.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-11T21:36:19.0140629Z",
  "updatedOn": "2020-12-11T21:36:19.0140629Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Desktop Virtualization Session Host Operator",
  "type": "BuiltInRole",
  "description": "Operator of the Desktop Virtualization Session Host.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/hostpools/read",
        "Microsoft.DesktopVirtualization/hostpools/sessionhosts/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-11T21:39:53.2569741Z",
  "updatedOn": "2020-12-11T21:39:53.2569741Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Desktop Virtualization User",
  "type": "BuiltInRole",
  "description": "Allows user to use the applications in an application group.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.DesktopVirtualization/applicationGroups/useApplications/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-08-07T00:29:03.8727621Z",
  "updatedOn": "2019-08-07T00:29:03.8727621Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Desktop Virtualization User Session Operator",
  "type": "BuiltInRole",
  "description": "Operator of the Desktop Virtualization Uesr Session.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/hostpools/read",
        "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
        "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-11T21:39:16.9100273Z",
  "updatedOn": "2020-12-11T21:39:16.9100273Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Desktop Virtualization Workspace Contributor",
  "type": "BuiltInRole",
  "description": "Contributor of the Desktop Virtualization Workspace.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/workspaces/*",
        "Microsoft.DesktopVirtualization/applicationgroups/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-11T21:38:29.6089216Z",
  "updatedOn": "2020-12-11T21:38:29.6089216Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Desktop Virtualization Workspace Reader",
  "type": "BuiltInRole",
  "description": "Reader of the Desktop Virtualization Workspace.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/workspaces/read",
        "Microsoft.DesktopVirtualization/applicationgroups/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-11T21:41:58.1892707Z",
  "updatedOn": "2020-12-11T21:41:58.1892707Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Device Provisioning Service Data Contributor",
  "type": "BuiltInRole",
  "description": "Allows for full access to Device Provisioning Service data-plane operations.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/provisioningServices/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-08-09T19:54:03.2783227Z",
  "updatedOn": "2021-08-09T19:54:03.2783227Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Device Provisioning Service Data Reader",
  "type": "BuiltInRole",
  "description": "Allows for full read access to Device Provisioning Service data-plane properties.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/provisioningServices/*/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-08-09T19:53:12.1374732Z",
  "updatedOn": "2021-08-09T19:53:12.1374732Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Device Update Administrator",
  "type": "BuiltInRole",
  "description": "Gives you full access to management and content operations",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read",
        "Microsoft.DeviceUpdate/accounts/instances/updates/write",
        "Microsoft.DeviceUpdate/accounts/instances/updates/delete",
        "Microsoft.DeviceUpdate/accounts/instances/management/read",
        "Microsoft.DeviceUpdate/accounts/instances/management/write",
        "Microsoft.DeviceUpdate/accounts/instances/management/delete"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-08-21T23:56:22.352051Z",
  "updatedOn": "2020-08-21T23:56:22.352051Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Device Update Content Administrator",
  "type": "BuiltInRole",
  "description": "Gives you full access to content operations",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read",
        "Microsoft.DeviceUpdate/accounts/instances/updates/write",
        "Microsoft.DeviceUpdate/accounts/instances/updates/delete"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-08-21T23:58:18.42555Z",
  "updatedOn": "2020-08-21T23:58:18.42555Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Device Update Content Reader",
  "type": "BuiltInRole",
  "description": "Gives you read access to content operations, but does not allow making changes",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-08-22T00:02:43.3299181Z",
  "updatedOn": "2020-08-22T00:02:43.3299181Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Device Update Deployments Administrator",
  "type": "BuiltInRole",
  "description": "Gives you full access to management operations",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/management/read",
        "Microsoft.DeviceUpdate/accounts/instances/management/write",
        "Microsoft.DeviceUpdate/accounts/instances/management/delete"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-08-21T23:59:52.1001666Z",
  "updatedOn": "2020-08-21T23:59:52.1001666Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Device Update Deployments Reader",
  "type": "BuiltInRole",
  "description": "Gives you read access to management operations, but does not allow making changes",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/management/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-08-22T00:01:34.705363Z",
  "updatedOn": "2020-08-22T00:01:34.705363Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Device Update Reader",
  "type": "BuiltInRole",
  "description": "Gives you read access to management and content operations, but does not allow making changes",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read",
        "Microsoft.DeviceUpdate/accounts/instances/management/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-08-21T23:40:19.237361Z",
  "updatedOn": "2020-08-21T23:40:19.237361Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "DevTest Labs User",
  "type": "BuiltInRole",
  "description": "Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/availabilitySets/read",
        "Microsoft.Compute/virtualMachines/*/read",
        "Microsoft.Compute/virtualMachines/deallocate/action",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/restart/action",
        "Microsoft.Compute/virtualMachines/start/action",
        "Microsoft.DevTestLab/*/read",
        "Microsoft.DevTestLab/labs/claimAnyVm/action",
        "Microsoft.DevTestLab/labs/createEnvironment/action",
        "Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action",
        "Microsoft.DevTestLab/labs/formulas/delete",
        "Microsoft.DevTestLab/labs/formulas/read",
        "Microsoft.DevTestLab/labs/formulas/write",
        "Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action",
        "Microsoft.DevTestLab/labs/virtualMachines/claim/action",
        "Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action",
        "Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
        "Microsoft.Network/networkInterfaces/*/read",
        "Microsoft.Network/networkInterfaces/join/action",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/publicIPAddresses/*/read",
        "Microsoft.Network/publicIPAddresses/join/action",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/listKeys/action"
      ],
      "notActions": [
        "Microsoft.Compute/virtualMachines/vmSizes/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-06-08T21:52:45.0657582Z",
  "updatedOn": "2019-05-08T11:27:34.8855476Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "DICOM Data Owner",
  "type": "BuiltInRole",
  "description": "Full access to DICOM data.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/workspaces/dicomservices/resources/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-06-17T20:59:30.8659515Z",
  "updatedOn": "2021-06-17T20:59:30.8659515Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "DICOM Data Reader",
  "type": "BuiltInRole",
  "description": "Read and search DICOM data.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/workspaces/dicomservices/resources/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-06-17T20:58:30.1630494Z",
  "updatedOn": "2021-06-17T20:58:30.1630494Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Disk Backup Reader",
  "type": "BuiltInRole",
  "description": "Provides permission to backup vault to perform disk backup.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/disks/beginGetAccess/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-15T07:39:03.8394514Z",
  "updatedOn": "2020-12-18T05:00:23.3015246Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Disk Restore Operator",
  "type": "BuiltInRole",
  "description": "Provides permission to backup vault to perform disk restore.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/disks/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-15T12:18:31.8481619Z",
  "updatedOn": "2020-12-18T05:00:53.9562743Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Disk Snapshot Contributor",
  "type": "BuiltInRole",
  "description": "Provides permission to backup vault to manage disk snapshots.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Compute/snapshots/delete",
        "Microsoft.Compute/snapshots/write",
        "Microsoft.Compute/snapshots/read",
        "Microsoft.Compute/snapshots/beginGetAccess/action",
        "Microsoft.Compute/snapshots/endGetAccess/action",
        "Microsoft.Compute/disks/beginGetAccess/action",
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/write",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-12-15T12:18:51.4471411Z",
  "updatedOn": "2021-01-06T04:00:07.5681241Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "DNS Zone Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/dnsZones/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-10-15T23:33:25.9730842Z",
  "updatedOn": "2016-05-31T23:13:40.3710365Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "DocumentDB Account Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage DocumentDB accounts, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.DocumentDb/databaseAccounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2019-11-21T01:38:32.0948484Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "EventGrid Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage EventGrid operations.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-02-08T18:46:18.8999557Z",
  "updatedOn": "2021-02-11T00:02:16.0328078Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "EventGrid Data Sender",
  "type": "BuiltInRole",
  "description": "Allows send access to event grid events.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/topics/read",
        "Microsoft.EventGrid/domains/read",
        "Microsoft.EventGrid/partnerNamespaces/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventGrid/events/send/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-07-02T21:55:40.4847495Z",
  "updatedOn": "2021-07-02T21:55:40.4847495Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "EventGrid EventSubscription Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage EventGrid event subscription operations.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/eventSubscriptions/*",
        "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-10-08T23:27:28.3130743Z",
  "updatedOn": "2019-01-08T00:06:34.3543171Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "EventGrid EventSubscription Reader",
  "type": "BuiltInRole",
  "description": "Lets you read EventGrid event subscriptions.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/eventSubscriptions/read",
        "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-10-09T17:29:28.1417894Z",
  "updatedOn": "2019-01-08T00:05:40.2884365Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Experimentation Administrator",
  "type": "BuiltInRole",
  "description": "Experimentation Administrator",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Experimentation/experimentWorkspaces/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/admin/action",
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read",
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write",
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete",
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experimentadmin/action",
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action",
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action",
        "Microsoft.Experimentation/experimentWorkspaces/read",
        "Microsoft.Experimentation/experimentWorkspaces/write",
        "Microsoft.Experimentation/experimentWorkspaces/delete",
        "Microsoft.Experimentation/experimentWorkspaces/admin/action",
        "Microsoft.Experimentation/experimentWorkspaces/metricwrite/action",
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-12-18T22:46:33.1116612Z",
  "updatedOn": "2021-03-05T15:59:31.1406998Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Experimentation Contributor",
  "type": "BuiltInRole",
  "description": "Experimentation Contributor",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Experimentation/experimentWorkspaces/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read",
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write",
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete",
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action",
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action",
        "Microsoft.Experimentation/experimentWorkspaces/read",
        "Microsoft.Experimentation/experimentWorkspaces/write",
        "Microsoft.Experimentation/experimentWorkspaces/delete"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-12-13T00:08:08.6679591Z",
  "updatedOn": "2021-03-05T16:02:04.1620231Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Experimentation Metric Contributor",
  "type": "BuiltInRole",
  "description": "Allows for creation, writes and reads to the metric set via the metrics service APIs.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Experimentation/experimentWorkspaces/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read",
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action",
        "Microsoft.Experimentation/experimentWorkspaces/metricwrite/action",
        "Microsoft.Experimentation/experimentWorkspaces/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-11-10T20:07:53.7535885Z",
  "updatedOn": "2021-03-05T16:14:20.5696005Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Experimentation Reader",
  "type": "BuiltInRole",
  "description": "Experimentation Reader",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Experimentation/experimentWorkspaces/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Experimentation/experimentWorkspaces/read",
        "Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-03-25T18:05:14.8375678Z",
  "updatedOn": "2021-01-11T18:32:43.8283983Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "FHIR Data Contributor",
  "type": "BuiltInRole",
  "description": "Role allows user or principal full access to FHIR Data",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/*",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-03-17T18:35:04.4949547Z",
  "updatedOn": "2021-07-08T21:08:46.6798723Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "FHIR Data Converter",
  "type": "BuiltInRole",
  "description": "Role allows user or principal to convert data from legacy format to FHIR",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/convertData/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-01-22T19:39:01.1601069Z",
  "updatedOn": "2021-07-08T21:09:09.7628275Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "FHIR Data Exporter",
  "type": "BuiltInRole",
  "description": "Role allows user or principal to read and export FHIR Data",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/read",
        "Microsoft.HealthcareApis/services/fhir/resources/export/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-03-17T18:45:01.9764073Z",
  "updatedOn": "2021-07-16T18:09:31.1543835Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "FHIR Data Reader",
  "type": "BuiltInRole",
  "description": "Role allows user or principal to read FHIR Data",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/read",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-03-17T18:49:04.8353499Z",
  "updatedOn": "2021-07-08T21:09:44.3689078Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "FHIR Data Writer",
  "type": "BuiltInRole",
  "description": "Role allows user or principal to read and write FHIR Data",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/*",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/*"
      ],
      "notDataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/hardDelete/action"
      ]
    }
  ],
  "createdOn": "2020-03-17T18:55:35.2413335Z",
  "updatedOn": "2021-07-08T21:10:05.2894321Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Grafana Admin",
  "type": "BuiltInRole",
  "description": "Built-in Grafana admin role",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Dashboard/grafana/ActAsGrafanaAdmin/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-07-15T21:32:35.380234Z",
  "updatedOn": "2021-08-12T22:45:41.708387Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Grafana Editor",
  "type": "BuiltInRole",
  "description": "Built-in Grafana Editor role",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Dashboard/grafana/ActAsGrafanaEditor/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-08-05T16:37:32.5299593Z",
  "updatedOn": "2021-08-13T03:30:15.312925Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Grafana Viewer",
  "type": "BuiltInRole",
  "description": "Built-in Grafana Viewer role",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-08-05T16:36:18.7737511Z",
  "updatedOn": "2021-08-13T03:36:39.8144804Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Graph Owner",
  "type": "BuiltInRole",
  "description": "Create and manage all aspects of the Enterprise Graph - Ontology, Schema mapping, Conflation and Conversational AI and Ingestions",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.EnterpriseKnowledgeGraph/services/conflation/read",
        "Microsoft.EnterpriseKnowledgeGraph/services/conflation/write",
        "Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/read",
        "Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/write",
        "Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read",
        "Microsoft.EnterpriseKnowledgeGraph/services/knowledge/write",
        "Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/read",
        "Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/write",
        "Microsoft.EnterpriseKnowledgeGraph/services/ingestion/read",
        "Microsoft.EnterpriseKnowledgeGraph/services/ingestion/write",
        "Microsoft.EnterpriseKnowledgeGraph/services/ontology/read",
        "Microsoft.EnterpriseKnowledgeGraph/services/ontology/write",
        "Microsoft.EnterpriseKnowledgeGraph/services/delete",
        "Microsoft.EnterpriseKnowledgeGraph/operations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-02-23T21:07:22.5844236Z",
  "updatedOn": "2019-02-28T20:21:18.9318073Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "HDInsight Cluster Operator",
  "type": "BuiltInRole",
  "description": "Lets you read and modify HDInsight cluster configurations.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.HDInsight/*/read",
        "Microsoft.HDInsight/clusters/getGatewaySettings/action",
        "Microsoft.HDInsight/clusters/updateGatewaySettings/action",
        "Microsoft.HDInsight/clusters/configurations/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-04-20T00:03:01.7110732Z",
  "updatedOn": "2019-04-28T02:34:17.4679314Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "HDInsight Domain Services Contributor",
  "type": "BuiltInRole",
  "description": "Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.AAD/*/read",
        "Microsoft.AAD/domainServices/*/read",
        "Microsoft.AAD/domainServices/oucontainer/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-09-12T22:42:51.7451109Z",
  "updatedOn": "2018-09-12T23:06:45.7641599Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Hierarchy Settings Administrator",
  "type": "BuiltInRole",
  "description": "Allows users to edit and delete Hierarchy Settings",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Management/managementGroups/settings/write",
        "Microsoft.Management/managementGroups/settings/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-03-13T23:55:11.0212387Z",
  "updatedOn": "2020-03-13T23:58:46.9249866Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Hybrid Server Onboarding",
  "type": "BuiltInRole",
  "description": "Can onboard new Hybrid servers to the Hybrid Resource Provider.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-04-29T22:36:28.1873756Z",
  "updatedOn": "2019-05-06T20:09:17.9364269Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Hybrid Server Resource Administrator",
  "type": "BuiltInRole",
  "description": "Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridCompute/machines/*",
        "Microsoft.HybridCompute/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-04-29T21:39:32.3132923Z",
  "updatedOn": "2019-05-06T20:08:25.3180258Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Integration Service Environment Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage integration service environments, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Support/*",
        "Microsoft.Logic/integrationServiceEnvironments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-02-20T21:10:44.4008319Z",
  "updatedOn": "2020-02-20T21:41:56.7983599Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Integration Service Environment Developer",
  "type": "BuiltInRole",
  "description": "Allows developers to create and update workflows, integration accounts and API connections in integration service environments.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Support/*",
        "Microsoft.Logic/integrationServiceEnvironments/read",
        "Microsoft.Logic/integrationServiceEnvironments/*/join/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-02-20T21:09:00.5627875Z",
  "updatedOn": "2020-12-13T02:18:15.6697797Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Intelligent Systems Account Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage Intelligent Systems accounts, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.IntelligentSystems/accounts/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2019-02-05T20:32:00.9996357Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "IoT Hub Data Contributor",
  "type": "BuiltInRole",
  "description": "Allows for full access to IoT Hub data plane operations.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-04-22T20:37:16.9927761Z",
  "updatedOn": "2021-04-29T23:44:42.6824802Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "IoT Hub Data Reader",
  "type": "BuiltInRole",
  "description": "Allows for full read access to IoT Hub data-plane properties",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/*/read",
        "Microsoft.Devices/IotHubs/fileUpload/notifications/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-04-22T18:03:29.8843192Z",
  "updatedOn": "2021-04-29T23:24:12.4930691Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "IoT Hub Registry Contributor",
  "type": "BuiltInRole",
  "description": "Allows for full access to IoT Hub device registry.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/devices/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-04-22T20:36:47.5532704Z",
  "updatedOn": "2021-04-30T00:01:58.8405124Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "IoT Hub Twin Contributor",
  "type": "BuiltInRole",
  "description": "Allows for read and write access to all IoT Hub device and module twins.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/twins/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-04-22T20:36:10.1136903Z",
  "updatedOn": "2021-04-29T23:52:03.1511375Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Key Vault Administrator",
  "type": "BuiltInRole",
  "description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-05-19T17:52:46.2349235Z",
  "updatedOn": "2021-01-27T23:26:39.6321098Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Key Vault Certificates Officer",
  "type": "BuiltInRole",
  "description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/certificatecas/*",
        "Microsoft.KeyVault/vaults/certificates/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-05-19T17:52:47.2499247Z",
  "updatedOn": "2021-01-27T23:25:14.4723643Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Key Vault Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage key vaults, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.KeyVault/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.KeyVault/locations/deletedVaults/purge/action",
        "Microsoft.KeyVault/hsmPools/*",
        "Microsoft.KeyVault/managedHsms/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2016-02-25T17:08:28.5184971Z",
  "updatedOn": "2020-09-17T00:42:51.7334302Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Key Vault Crypto Officer",
  "type": "BuiltInRole",
  "description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-05-19T17:52:47.0099249Z",
  "updatedOn": "2021-01-27T23:23:43.2358783Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Key Vault Crypto Service Encryption User",
  "type": "BuiltInRole",
  "description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.EventGrid/eventSubscriptions/write",
        "Microsoft.EventGrid/eventSubscriptions/read",
        "Microsoft.EventGrid/eventSubscriptions/delete"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/read",
        "Microsoft.KeyVault/vaults/keys/wrap/action",
        "Microsoft.KeyVault/vaults/keys/unwrap/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-05-20T20:55:19.239847Z",
  "updatedOn": "2021-01-27T23:22:10.9466372Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Key Vault Crypto User",
  "type": "BuiltInRole",
  "description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/read",
        "Microsoft.KeyVault/vaults/keys/update/action",
        "Microsoft.KeyVault/vaults/keys/backup/action",
        "Microsoft.KeyVault/vaults/keys/encrypt/action",
        "Microsoft.KeyVault/vaults/keys/decrypt/action",
        "Microsoft.KeyVault/vaults/keys/wrap/action",
        "Microsoft.KeyVault/vaults/keys/unwrap/action",
        "Microsoft.KeyVault/vaults/keys/sign/action",
        "Microsoft.KeyVault/vaults/keys/verify/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-05-19T17:52:47.0699268Z",
  "updatedOn": "2021-01-27T23:18:47.5002809Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Key Vault Reader",
  "type": "BuiltInRole",
  "description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-05-19T17:52:47.2949294Z",
  "updatedOn": "2021-01-27T23:14:42.715144Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Key Vault Secrets Officer",
  "type": "BuiltInRole",
  "description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/secrets/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-05-19T17:52:47.1449242Z",
  "updatedOn": "2021-01-27T23:07:56.2221281Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Key Vault Secrets User",
  "type": "BuiltInRole",
  "description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/secrets/getSecret/action",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-05-19T17:52:47.2049241Z",
  "updatedOn": "2021-01-27T22:15:29.1682455Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Knowledge Consumer",
  "type": "BuiltInRole",
  "description": "Knowledge Read permission to consume Enterprise Graph Knowledge using entity search and graph query",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-02-23T21:23:31.4037552Z",
  "updatedOn": "2019-02-28T20:25:00.7369384Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Kubernetes Cluster - Azure Arc Onboarding",
  "type": "BuiltInRole",
  "description": "Role definition to authorize any user/service to create connectedClusters resource",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-11-18T17:00:02.2087147Z",
  "updatedOn": "2020-02-10T22:40:48.3317559Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Kubernetes Extension Contributor",
  "type": "BuiltInRole",
  "description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-08-09T19:47:50.6828896Z",
  "updatedOn": "2021-08-10T21:04:18.6453432Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Lab Creator",
  "type": "BuiltInRole",
  "description": "Lets you create new labs under your Azure Lab Accounts.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.LabServices/labAccounts/*/read",
        "Microsoft.LabServices/labAccounts/createLab/action",
        "Microsoft.LabServices/labAccounts/getPricingAndAvailability/action",
        "Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-01-18T23:38:58.1036141Z",
  "updatedOn": "2020-07-10T17:45:43.2289715Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Log Analytics Contributor",
  "type": "BuiltInRole",
  "description": "Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.ClassicCompute/virtualMachines/extensions/*",
        "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
        "Microsoft.Compute/virtualMachines/extensions/*",
        "Microsoft.HybridCompute/machines/extensions/write",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.OperationalInsights/*",
        "Microsoft.OperationsManagement/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-04-25T21:51:45.3174711Z",
  "updatedOn": "2021-08-05T16:47:17.2646158Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Log Analytics Reader",
  "type": "BuiltInRole",
  "description": "Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/search/action",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.OperationalInsights/workspaces/sharedKeys/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-05-02T00:20:28.1449012Z",
  "updatedOn": "2018-01-30T18:08:26.0438523Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false true 1 /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/fe935a9c-928f-4dec-aafb-54ecc2642cf3
{
  "roleName": "Logic App Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage logic app, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
        "Microsoft.ClassicStorage/storageAccounts/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metricAlerts/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Insights/logdefinitions/*",
        "Microsoft.Insights/metricDefinitions/*",
        "Microsoft.Logic/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Support/*",
        "Microsoft.Web/connectionGateways/*",
        "Microsoft.Web/connections/*",
        "Microsoft.Web/customApis/*",
        "Microsoft.Web/serverFarms/join/action",
        "Microsoft.Web/serverFarms/read",
        "Microsoft.Web/sites/functions/listSecrets/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2016-04-28T21:33:30.4656007Z",
  "updatedOn": "2019-10-15T04:31:27.7685427Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Logic App Operator",
  "type": "BuiltInRole",
  "description": "Lets you read, enable and disable logic app.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*/read",
        "Microsoft.Insights/metricAlerts/*/read",
        "Microsoft.Insights/diagnosticSettings/*/read",
        "Microsoft.Insights/metricDefinitions/*/read",
        "Microsoft.Logic/*/read",
        "Microsoft.Logic/workflows/disable/action",
        "Microsoft.Logic/workflows/enable/action",
        "Microsoft.Logic/workflows/validate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Web/connectionGateways/*/read",
        "Microsoft.Web/connections/*/read",
        "Microsoft.Web/customApis/*/read",
        "Microsoft.Web/serverFarms/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2016-04-28T21:33:30.4656007Z",
  "updatedOn": "2019-10-15T04:28:56.3265986Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Managed Application Contributor Role",
  "type": "BuiltInRole",
  "description": "Allows for creating managed application resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Solutions/applications/*",
        "Microsoft.Solutions/register/action",
        "Microsoft.Resources/subscriptions/resourceGroups/*",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-02-08T03:39:11.8933879Z",
  "updatedOn": "2020-03-23T02:12:30.0853051Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Managed Application Operator Role",
  "type": "BuiltInRole",
  "description": "Lets you read and perform actions on Managed Application resources",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Solutions/applications/read",
        "Microsoft.Solutions/*/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-07-27T00:59:33.7988813Z",
  "updatedOn": "2019-02-20T01:09:55.1593079Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Managed Applications Reader",
  "type": "BuiltInRole",
  "description": "Lets you read resources in a managed app and request JIT access.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Solutions/jitRequests/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-09-06T00:33:58.3651522Z",
  "updatedOn": "2018-09-06T00:33:58.3651522Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Managed HSM contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage managed HSM pools, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.KeyVault/managedHSMs/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-09-16T21:47:01.1291104Z",
  "updatedOn": "2020-09-16T21:47:01.1291104Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Managed Identity Contributor",
  "type": "BuiltInRole",
  "description": "Create, Read, Update, and Delete User Assigned Identity",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedIdentity/userAssignedIdentities/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/write",
        "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-12-14T19:53:42.8804692Z",
  "updatedOn": "2019-06-20T21:51:27.0850433Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Managed Identity Operator",
  "type": "BuiltInRole",
  "description": "Read and Assign User Assigned Identity",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-12-14T19:52:04.3924594Z",
  "updatedOn": "2017-12-14T22:16:00.1483256Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Managed Services Registration assignment Delete Role",
  "type": "BuiltInRole",
  "description": "Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedServices/registrationAssignments/read",
        "Microsoft.ManagedServices/registrationAssignments/delete",
        "Microsoft.ManagedServices/operationStatuses/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-10-23T22:33:33.1183469Z",
  "updatedOn": "2019-10-24T21:49:09.3875276Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Management Group Contributor",
  "type": "BuiltInRole",
  "description": "Management Group Contributor Role",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Management/managementGroups/delete",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Management/managementGroups/subscriptions/delete",
        "Microsoft.Management/managementGroups/subscriptions/write",
        "Microsoft.Management/managementGroups/write",
        "Microsoft.Management/managementGroups/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-06-22T00:28:29.0523964Z",
  "updatedOn": "2020-07-06T18:13:34.9045672Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Management Group Reader",
  "type": "BuiltInRole",
  "description": "Management Group Reader Role",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Management/managementGroups/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-06-22T00:31:03.4295347Z",
  "updatedOn": "2020-07-06T18:09:27.1441705Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Media Services Account Administrator",
  "type": "BuiltInRole",
  "description": "Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
        "Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
        "Microsoft.Media/mediaservices/write",
        "Microsoft.Media/mediaservices/delete",
        "Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action",
        "Microsoft.Media/mediaservices/privateEndpointConnections/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-04-19T23:20:32.2956636Z",
  "updatedOn": "2021-06-11T21:21:11.1352414Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Media Services Live Events Administrator",
  "type": "BuiltInRole",
  "description": "Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/*",
        "Microsoft.Media/mediaservices/assets/assetfilters/*",
        "Microsoft.Media/mediaservices/streamingLocators/*",
        "Microsoft.Media/mediaservices/liveEvents/*"
      ],
      "notActions": [
        "Microsoft.Media/mediaservices/assets/getEncryptionKey/action",
        "Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-04-19T23:21:00.6119555Z",
  "updatedOn": "2021-06-11T21:20:30.6783723Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Media Services Media Operator",
  "type": "BuiltInRole",
  "description": "Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/*",
        "Microsoft.Media/mediaservices/assets/assetfilters/*",
        "Microsoft.Media/mediaservices/streamingLocators/*",
        "Microsoft.Media/mediaservices/transforms/jobs/*"
      ],
      "notActions": [
        "Microsoft.Media/mediaservices/assets/getEncryptionKey/action",
        "Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-04-19T23:21:23.2236495Z",
  "updatedOn": "2021-06-11T21:20:52.6238751Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Media Services Policy Administrator",
  "type": "BuiltInRole",
  "description": "Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
        "Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
        "Microsoft.Media/mediaservices/accountFilters/*",
        "Microsoft.Media/mediaservices/streamingPolicies/*",
        "Microsoft.Media/mediaservices/contentKeyPolicies/*",
        "Microsoft.Media/mediaservices/transforms/*"
      ],
      "notActions": [
        "Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-04-19T23:21:46.953433Z",
  "updatedOn": "2021-06-11T21:20:01.8020972Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Media Services Streaming Endpoints Administrator",
  "type": "BuiltInRole",
  "description": "Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
        "Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
        "Microsoft.Media/mediaservices/streamingEndpoints/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-04-19T23:22:04.4594851Z",
  "updatedOn": "2021-06-11T21:18:02.3864536Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Microsoft.Kubernetes connected cluster role",
  "type": "BuiltInRole",
  "description": "Microsoft.Kubernetes connected cluster role.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Kubernetes/connectedClusters/read",
        "Microsoft.Kubernetes/connectedClusters/write",
        "Microsoft.Kubernetes/connectedClusters/delete",
        "Microsoft.Kubernetes/registeredSubscriptions/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-01-07T23:57:10.9923232Z",
  "updatedOn": "2021-01-07T23:57:10.9923232Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Monitoring Contributor",
  "type": "BuiltInRole",
  "description": "Can read all monitoring data and update monitoring settings.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.AlertsManagement/alerts/*",
        "Microsoft.AlertsManagement/alertsSummary/*",
        "Microsoft.Insights/actiongroups/*",
        "Microsoft.Insights/activityLogAlerts/*",
        "Microsoft.Insights/AlertRules/*",
        "Microsoft.Insights/components/*",
        "Microsoft.Insights/dataCollectionRules/*",
        "Microsoft.Insights/dataCollectionRuleAssociations/*",
        "Microsoft.Insights/DiagnosticSettings/*",
        "Microsoft.Insights/eventtypes/*",
        "Microsoft.Insights/LogDefinitions/*",
        "Microsoft.Insights/metricalerts/*",
        "Microsoft.Insights/MetricDefinitions/*",
        "Microsoft.Insights/Metrics/*",
        "Microsoft.Insights/Register/Action",
        "Microsoft.Insights/scheduledqueryrules/*",
        "Microsoft.Insights/webtests/*",
        "Microsoft.Insights/workbooks/*",
        "Microsoft.Insights/privateLinkScopes/*",
        "Microsoft.Insights/privateLinkScopeOperationStatuses/*",
        "Microsoft.OperationalInsights/workspaces/write",
        "Microsoft.OperationalInsights/workspaces/intelligencepacks/*",
        "Microsoft.OperationalInsights/workspaces/savedSearches/*",
        "Microsoft.OperationalInsights/workspaces/search/action",
        "Microsoft.OperationalInsights/workspaces/sharedKeys/action",
        "Microsoft.OperationalInsights/workspaces/storageinsightconfigs/*",
        "Microsoft.Support/*",
        "Microsoft.WorkloadMonitor/monitors/*",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/*",
        "Microsoft.AlertsManagement/actionRules/*",
        "Microsoft.AlertsManagement/smartGroups/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2016-09-21T19:21:08.4345976Z",
  "updatedOn": "2020-11-18T00:02:00.4868141Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Monitoring Metrics Publisher",
  "type": "BuiltInRole",
  "description": "Enables publishing metrics against Azure resources",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Insights/Register/Action",
        "Microsoft.Support/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Insights/Metrics/Write"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-08-14T00:36:16.5610279Z",
  "updatedOn": "2018-08-14T00:37:18.1465065Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Monitoring Reader",
  "type": "BuiltInRole",
  "description": "Can read all monitoring data.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.OperationalInsights/workspaces/search/action",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2016-09-21T19:19:52.4939376Z",
  "updatedOn": "2018-01-30T18:08:27.262625Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false true 1 /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/79041f69-fb87-4da7-8676-6431f7ad43a8
{
  "roleName": "Network Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage networks, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-06-02T00:18:27.3542698Z",
  "updatedOn": "2016-05-31T23:14:00.3326359Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "New Relic APM Account Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage New Relic Application Performance Management accounts and applications, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "NewRelic.APM/accounts/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2019-02-05T20:42:16.2033878Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Object Anchors Account Owner",
  "type": "BuiltInRole",
  "description": "Provides user with ingestion capabilities for an object anchors account.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/action",
        "Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-03-02T01:42:02.0014737Z",
  "updatedOn": "2021-03-02T01:45:23.2472961Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Object Anchors Account Reader",
  "type": "BuiltInRole",
  "description": "Lets you read ingestion jobs for an object anchors account.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-03-02T01:20:47.0279813Z",
  "updatedOn": "2021-03-02T01:34:08.6743401Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Object Understanding Account Owner",
  "type": "BuiltInRole",
  "description": "Provides user with ingestion capabilities for Azure Object Understanding.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/action",
        "Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-04-22T19:15:09.0697923Z",
  "updatedOn": "2020-04-22T19:15:09.0697923Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Object Understanding Account Reader",
  "type": "BuiltInRole",
  "description": "Lets you read ingestion jobs for an object understanding account.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-07-23T19:16:31.9929119Z",
  "updatedOn": "2020-07-23T19:16:31.9929119Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Owner",
  "type": "BuiltInRole",
  "description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2020-08-14T20:13:58.4137852Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false true 27 /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99, /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b, /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d, /providers/Microsoft.Management/managementGroups/CUST_T5/providers/Microsoft.Authorization/roleAssignments/3c72bcce-6116-4d33-9f8a-927083beee40, /providers/Microsoft.Management/managementGroups/ESJH-decommissioned/providers/Microsoft.Authorization/roleAssignments/81bb9ace-a96d-47ab-b9a2-8952e655aa0c, /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/093ad67e-4eae-4536-aa0b-da4e09b47d88, /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f, /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345, /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5, /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6, /providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/84fb757b-e5ed-44e1-92fa-5d2ed6fe5cd1, /providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/b95d2309-e3d0-5961-bef8-a3e75deca49a, /providers/Microsoft.Management/managementGroups/ESJH-online/providers/Microsoft.Authorization/roleAssignments/06ee6718-e394-4fcf-bbc2-cf358381ff67, /providers/Microsoft.Management/managementGroups/ESJH-platform/providers/Microsoft.Authorization/roleAssignments/243cb616-b890-4197-bc2e-98b966ba39f5, /providers/Microsoft.Management/managementGroups/ESJH-sandboxes/providers/Microsoft.Authorization/roleAssignments/5c852bb9-bc65-44cb-a7d7-f230589f9c5f, /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870, /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed, /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc, /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf, /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374, /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf, /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e, /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171, /providers/Microsoft.Management/managementGroups/ESJHDEV/providers/Microsoft.Authorization/roleAssignments/983c43f8-1c29-4c73-9816-b69d38226be4, /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/9f1fe9df-5a9c-46ca-b881-154ecd19eaa7, /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/2754101a-9df1-48e7-ae2a-836f23710ed7, /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/68463d6a-5bd9-4d2b-8607-cb12a73d3c53
{
  "roleName": "Policy Insights Data Writer (Preview)",
  "type": "BuiltInRole",
  "description": "Allows read access to resource policies and write access to resource component policy events.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/policyassignments/read",
        "Microsoft.Authorization/policydefinitions/read",
        "Microsoft.Authorization/policyexemptions/read",
        "Microsoft.Authorization/policysetdefinitions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.PolicyInsights/checkDataPolicyCompliance/action",
        "Microsoft.PolicyInsights/policyEvents/logDataEvents/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-09-19T19:35:20.9504127Z",
  "updatedOn": "2020-08-20T20:57:17.1579311Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Private DNS Zone Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage private DNS zone resources, but not the virtual networks they are linked to.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Network/privateDnsZones/*",
        "Microsoft.Network/privateDnsOperationResults/*",
        "Microsoft.Network/privateDnsOperationStatuses/*",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-07-10T19:31:15.5645518Z",
  "updatedOn": "2019-07-11T21:12:01.7260648Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Project Babylon Data Curator",
  "type": "BuiltInRole",
  "description": "The Microsoft.ProjectBabylon data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ProjectBabylon/accounts/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ProjectBabylon/accounts/data/read",
        "Microsoft.ProjectBabylon/accounts/data/write"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-11-14T02:31:33.7988825Z",
  "updatedOn": "2020-11-20T21:21:21.9658575Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Project Babylon Data Reader",
  "type": "BuiltInRole",
  "description": "The Microsoft.ProjectBabylon data reader can read catalog data objects. This role is in preview and subject to change.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ProjectBabylon/accounts/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ProjectBabylon/accounts/data/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-11-14T02:33:13.5342351Z",
  "updatedOn": "2020-11-20T21:21:51.9362426Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Project Babylon Data Source Administrator",
  "type": "BuiltInRole",
  "description": "The Microsoft.ProjectBabylon data source administrator can manage data sources and data scans. This role is in preview and subject to change.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ProjectBabylon/accounts/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ProjectBabylon/accounts/scan/read",
        "Microsoft.ProjectBabylon/accounts/scan/write"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-11-14T02:34:01.8401954Z",
  "updatedOn": "2020-11-20T21:22:15.6138058Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Purview Data Curator",
  "type": "BuiltInRole",
  "description": "The Microsoft.Purview data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Purview/accounts/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Purview/accounts/data/read",
        "Microsoft.Purview/accounts/data/write"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-11-14T02:37:15.0123345Z",
  "updatedOn": "2020-11-20T21:24:12.8131677Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Purview Data Reader",
  "type": "BuiltInRole",
  "description": "The Microsoft.Purview data reader can read catalog data objects. This role is in preview and subject to change.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Purview/accounts/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Purview/accounts/data/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-11-14T02:39:22.234474Z",
  "updatedOn": "2020-11-20T21:24:29.5157346Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Purview Data Source Administrator",
  "type": "BuiltInRole",
  "description": "The Microsoft.Purview data source administrator can manage data sources and data scans. This role is in preview and subject to change.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Purview/accounts/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Purview/accounts/scan/read",
        "Microsoft.Purview/accounts/scan/write"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-11-14T02:40:05.0975648Z",
  "updatedOn": "2020-11-20T21:24:43.5940624Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Quota Request Operator",
  "type": "BuiltInRole",
  "description": "Read and create quota requests, get quota request status, and create support tickets.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Capacity/resourceProviders/locations/serviceLimits/read",
        "Microsoft.Capacity/resourceProviders/locations/serviceLimits/write",
        "Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read",
        "Microsoft.Capacity/register/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-02-03T00:06:35.8404575Z",
  "updatedOn": "2021-03-22T21:53:11.9852943Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Reader",
  "type": "BuiltInRole",
  "description": "View all resources, but does not allow you to make any changes.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2020-08-14T20:16:04.3791205Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false true 5 /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04, /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141, /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3b6291a1-fc61-41d8-abff-43d04e35be62, /providers/Microsoft.Management/managementGroups/ESJH-sandboxes/providers/Microsoft.Authorization/roleAssignments/5c852bb9-bc65-44cb-a7d7-f230589f9c11, /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/06e10e98-b109-40c5-bf73-691605bf66e3
{
  "roleName": "Reader and Data Access",
  "type": "BuiltInRole",
  "description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/ListAccountSas/action",
        "Microsoft.Storage/storageAccounts/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-03-27T23:20:46.1498906Z",
  "updatedOn": "2019-04-04T23:41:26.1056261Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Redis Cache Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage Redis caches, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cache/register/action",
        "Microsoft.Cache/redis/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2020-07-16T00:20:31.8240854Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Remote Rendering Administrator",
  "type": "BuiltInRole",
  "description": "Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/RemoteRenderingAccounts/convert/action",
        "Microsoft.MixedReality/RemoteRenderingAccounts/convert/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
        "Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-01-23T18:15:31.3450348Z",
  "updatedOn": "2020-01-23T18:15:31.3450348Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Remote Rendering Client",
  "type": "BuiltInRole",
  "description": "Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
        "Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-01-23T18:32:52.7069824Z",
  "updatedOn": "2020-01-23T18:32:52.7069824Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Reservation Purchaser",
  "type": "BuiltInRole",
  "description": "Lets you purchase reservations",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Capacity/register/action",
        "Microsoft.Compute/register/action",
        "Microsoft.SQL/register/action",
        "Microsoft.Consumption/register/action",
        "Microsoft.Capacity/catalogs/read",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Consumption/reservationRecommendations/read",
        "Microsoft.Support/supporttickets/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-10-23T20:22:48.9217751Z",
  "updatedOn": "2020-10-23T20:22:48.9217751Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Resource Policy Contributor",
  "type": "BuiltInRole",
  "description": "Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Authorization/policyassignments/*",
        "Microsoft.Authorization/policydefinitions/*",
        "Microsoft.Authorization/policyexemptions/*",
        "Microsoft.Authorization/policysetdefinitions/*",
        "Microsoft.PolicyInsights/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-08-25T19:08:01.3861639Z",
  "updatedOn": "2020-08-20T19:01:05.4449634Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Scheduler Job Collections Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage Scheduler job collections, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Scheduler/jobcollections/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2019-02-05T20:42:24.8360756Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Schema Registry Contributor (Preview)",
  "type": "BuiltInRole",
  "description": "Read, write, and delete Schema Registry groups and schemas.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/namespaces/schemagroups/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/namespaces/schemas/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-09-13T06:48:26.6032931Z",
  "updatedOn": "2020-09-13T06:48:26.6032931Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Schema Registry Reader (Preview)",
  "type": "BuiltInRole",
  "description": "Read and list Schema Registry groups and schemas.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/namespaces/schemagroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/namespaces/schemas/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-09-13T06:31:38.027274Z",
  "updatedOn": "2020-09-13T06:31:38.027274Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Search Index Data Contributor",
  "type": "BuiltInRole",
  "description": "Grants full access to Azure Cognitive Search index data.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Search/searchServices/indexes/documents/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-06-01T22:15:16.5388472Z",
  "updatedOn": "2021-06-02T18:55:58.1815252Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Search Index Data Reader",
  "type": "BuiltInRole",
  "description": "Grants read access to Azure Cognitive Search index data.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Search/searchServices/indexes/documents/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-06-01T20:26:13.4850461Z",
  "updatedOn": "2021-06-02T19:01:52.2721055Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Search Service Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage Search services, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Search/searchServices/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2019-02-05T20:42:21.8687229Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Security Admin",
  "type": "BuiltInRole",
  "description": "Security Admin Role",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Authorization/policyAssignments/*",
        "Microsoft.Authorization/policyDefinitions/*",
        "Microsoft.Authorization/policyExemptions/*",
        "Microsoft.Authorization/policySetDefinitions/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.operationalInsights/workspaces/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*",
        "Microsoft.IoTSecurity/*",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.IoTSecurity/defenderSettings/write"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-05-03T07:51:23.0917487Z",
  "updatedOn": "2021-08-12T19:15:52.3764664Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Security Assessment Contributor",
  "type": "BuiltInRole",
  "description": "Lets you push assessments to Security Center",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Security/assessments/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-02-13T08:23:47.7656161Z",
  "updatedOn": "2020-02-13T08:23:47.7656161Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Security Detonation Chamber Publisher",
  "type": "BuiltInRole",
  "description": "Allowed to publish and modify platforms, workflows and toolsets to Security Detonation Chamber",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SecurityDetonation/chambers/platforms/read",
        "Microsoft.SecurityDetonation/chambers/platforms/write",
        "Microsoft.SecurityDetonation/chambers/platforms/delete",
        "Microsoft.SecurityDetonation/chambers/platforms/metadata/read",
        "Microsoft.SecurityDetonation/chambers/workflows/read",
        "Microsoft.SecurityDetonation/chambers/workflows/write",
        "Microsoft.SecurityDetonation/chambers/workflows/delete",
        "Microsoft.SecurityDetonation/chambers/workflows/metadata/read",
        "Microsoft.SecurityDetonation/chambers/toolsets/read",
        "Microsoft.SecurityDetonation/chambers/toolsets/write",
        "Microsoft.SecurityDetonation/chambers/toolsets/delete",
        "Microsoft.SecurityDetonation/chambers/toolsets/metadata/read",
        "Microsoft.SecurityDetonation/chambers/publishRequests/read",
        "Microsoft.SecurityDetonation/chambers/publishRequests/cancel/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-01-18T11:43:14.0858184Z",
  "updatedOn": "2021-03-07T13:06:15.7172517Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Security Detonation Chamber Reader",
  "type": "BuiltInRole",
  "description": "Allowed to query submission info and files from Security Detonation Chamber",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SecurityDetonation/chambers/submissions/read",
        "Microsoft.SecurityDetonation/chambers/submissions/files/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-03-01T14:06:46.2814905Z",
  "updatedOn": "2021-03-01T14:09:25.0080904Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Security Detonation Chamber Submission Manager",
  "type": "BuiltInRole",
  "description": "Allowed to create and manage submissions to Security Detonation Chamber",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SecurityDetonation/chambers/submissions/delete",
        "Microsoft.SecurityDetonation/chambers/submissions/write",
        "Microsoft.SecurityDetonation/chambers/submissions/read",
        "Microsoft.SecurityDetonation/chambers/submissions/files/read",
        "Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read",
        "Microsoft.SecurityDetonation/chambers/submissions/adminview/read",
        "Microsoft.SecurityDetonation/chambers/submissions/analystview/read",
        "Microsoft.SecurityDetonation/chambers/submissions/publicview/read",
        "Microsoft.SecurityDetonation/chambers/platforms/metadata/read",
        "Microsoft.SecurityDetonation/chambers/workflows/metadata/read",
        "Microsoft.SecurityDetonation/chambers/toolsets/metadata/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-01-18T09:35:36.5739297Z",
  "updatedOn": "2021-05-23T13:38:47.4627306Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Security Detonation Chamber Submitter",
  "type": "BuiltInRole",
  "description": "Allowed to create submissions to Security Detonation Chamber",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SecurityDetonation/chambers/submissions/delete",
        "Microsoft.SecurityDetonation/chambers/submissions/write",
        "Microsoft.SecurityDetonation/chambers/submissions/read",
        "Microsoft.SecurityDetonation/chambers/submissions/files/read",
        "Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read",
        "Microsoft.SecurityDetonation/chambers/platforms/metadata/read",
        "Microsoft.SecurityDetonation/chambers/workflows/metadata/read",
        "Microsoft.SecurityDetonation/chambers/toolsets/metadata/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-10-01T08:55:21.3980274Z",
  "updatedOn": "2021-05-23T13:37:59.3020751Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Security Manager (Legacy)",
  "type": "BuiltInRole",
  "description": "This is a legacy role. Please use Security Administrator instead",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicCompute/*/read",
        "Microsoft.ClassicCompute/virtualMachines/*/write",
        "Microsoft.ClassicNetwork/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-06-22T17:45:15.8986455Z",
  "updatedOn": "2018-03-08T18:18:48.618362Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Security Reader",
  "type": "BuiltInRole",
  "description": "Security Reader Role",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.operationalInsights/workspaces/*/read",
        "Microsoft.Resources/deployments/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*/read",
        "Microsoft.IoTSecurity/*/read",
        "Microsoft.Support/*/read",
        "Microsoft.Security/iotDefenderSettings/packageDownloads/action",
        "Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
        "Microsoft.Security/iotSensors/downloadResetPassword/action",
        "Microsoft.IoTSecurity/defenderSettings/packageDownloads/action",
        "Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action",
        "Microsoft.Management/managementGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-05-03T07:48:49.0516559Z",
  "updatedOn": "2021-08-12T19:22:38.6335136Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false true 2 /providers/Microsoft.Management/managementGroups/ESJH-decommissioned/providers/Microsoft.Authorization/roleAssignments/9bdf3098-8e69-4e98-bd8c-22b991783b10, /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/e010f291-49a9-4d4b-be4d-55c6aeb164cd
{
  "roleName": "Services Hub Operator",
  "type": "BuiltInRole",
  "description": "Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.ServicesHub/connectors/write",
        "Microsoft.ServicesHub/connectors/read",
        "Microsoft.ServicesHub/connectors/delete",
        "Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action",
        "Microsoft.ServicesHub/supportOfferingEntitlement/read",
        "Microsoft.ServicesHub/workspaces/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-07-20T17:57:22.0644902Z",
  "updatedOn": "2020-10-06T17:18:28.4647301Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "SignalR AccessKey Reader",
  "type": "BuiltInRole",
  "description": "Read SignalR Service Access Keys",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.SignalRService/*/read",
        "Microsoft.SignalRService/SignalR/listkeys/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-09-20T09:33:19.6236874Z",
  "updatedOn": "2019-09-20T09:33:19.6236874Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "SignalR App Server (Preview)",
  "type": "BuiltInRole",
  "description": "Lets your app server access SignalR Service with AAD auth options.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/auth/accessKey/action",
        "Microsoft.SignalRService/SignalR/serverConnection/write"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-07-29T06:54:40.1201435Z",
  "updatedOn": "2020-10-23T08:23:46.8454102Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "SignalR Contributor",
  "type": "BuiltInRole",
  "description": "Create, Read, Update, and Delete SignalR service resources",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.SignalRService/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-09-20T09:58:09.0009662Z",
  "updatedOn": "2019-09-20T09:58:09.0009662Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "SignalR Serverless Contributor (Preview)",
  "type": "BuiltInRole",
  "description": "Lets your app access service in serverless mode with AAD auth options.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/auth/clientToken/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-07-29T09:35:32.2764751Z",
  "updatedOn": "2020-10-23T08:24:24.5713531Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "SignalR Service Owner",
  "type": "BuiltInRole",
  "description": "Full access to Azure SignalR Service REST APIs",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/auth/accessKey/action",
        "Microsoft.SignalRService/SignalR/auth/clientToken/action",
        "Microsoft.SignalRService/SignalR/hub/send/action",
        "Microsoft.SignalRService/SignalR/group/send/action",
        "Microsoft.SignalRService/SignalR/group/read",
        "Microsoft.SignalRService/SignalR/group/write",
        "Microsoft.SignalRService/SignalR/clientConnection/send/action",
        "Microsoft.SignalRService/SignalR/clientConnection/read",
        "Microsoft.SignalRService/SignalR/clientConnection/write",
        "Microsoft.SignalRService/SignalR/serverConnection/write",
        "Microsoft.SignalRService/SignalR/user/send/action",
        "Microsoft.SignalRService/SignalR/user/read",
        "Microsoft.SignalRService/SignalR/user/write"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-10-13T09:20:32.150141Z",
  "updatedOn": "2021-07-29T06:21:59.2498506Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "SignalR Service Reader (Preview)",
  "type": "BuiltInRole",
  "description": "Read-only access to Azure SignalR Service REST APIs",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/group/read",
        "Microsoft.SignalRService/SignalR/clientConnection/read",
        "Microsoft.SignalRService/SignalR/user/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-10-13T09:19:05.6463616Z",
  "updatedOn": "2020-10-23T08:25:22.892813Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Site Recovery Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage Site Recovery service except vault creation and role assignment",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/locations/allocatedStamp/read",
        "Microsoft.RecoveryServices/locations/allocateStamp/action",
        "Microsoft.RecoveryServices/Vaults/certificates/write",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/*",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/refreshContainers/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
        "Microsoft.RecoveryServices/vaults/replicationAlertSettings/*",
        "Microsoft.RecoveryServices/vaults/replicationEvents/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/*",
        "Microsoft.RecoveryServices/vaults/replicationJobs/*",
        "Microsoft.RecoveryServices/vaults/replicationPolicies/*",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/*",
        "Microsoft.RecoveryServices/Vaults/storageConfig/*",
        "Microsoft.RecoveryServices/Vaults/tokenInfo/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/Vaults/vaultTokens/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/*",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.RecoveryServices/vaults/replicationOperationStatus/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-05-19T13:46:17.4592776Z",
  "updatedOn": "2019-11-07T06:13:49.0760858Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Site Recovery Operator",
  "type": "BuiltInRole",
  "description": "Lets you failover and failback but not perform other Site Recovery management operations",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/locations/allocatedStamp/read",
        "Microsoft.RecoveryServices/locations/allocateStamp/action",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/refreshContainers/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/vaults/replicationAlertSettings/read",
        "Microsoft.RecoveryServices/vaults/replicationEvents/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read",
        "Microsoft.RecoveryServices/vaults/replicationJobs/*",
        "Microsoft.RecoveryServices/vaults/replicationPolicies/read",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/*",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read",
        "Microsoft.RecoveryServices/Vaults/storageConfig/read",
        "Microsoft.RecoveryServices/Vaults/tokenInfo/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/Vaults/vaultTokens/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-05-19T13:47:50.1341148Z",
  "updatedOn": "2019-08-28T12:00:57.4472826Z",
  "createdBy": null,
  "updatedBy": ""
}
Builtin false false 0 n/a
{
  "roleName": "Site Recovery Reader",
  "type": "BuiltInRole",
  "description": "Lets you view Site Recovery status but not perform other management operations",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.RecoveryServices/locations/allocatedStamp/read",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/refreshContainers/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/vaults/replicationAlertSettings/read",
        "Microsoft.RecoveryServices/vaults/replicationEvents/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read",
        "Microsoft.RecoveryServices/vaults/replicationJobs/read",
        "Microsoft.RecoveryServices/vaults/replicationPolicies/read",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read",
        "Microsoft.RecoveryServices/Vaults/storageConfig/read",
        "Microsoft.RecoveryServices/Vaults/tokenInfo/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/Vaults/vaultTokens/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-05-19T13:35:40.0093634Z",
  "updatedOn": "2017-05-26T19:54:51.393325Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Spatial Anchors Account Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage spatial anchors in your account, but not delete them",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/write"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-12-21T17:57:41.1420864Z",
  "updatedOn": "2019-02-13T06:13:39.8686435Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Spatial Anchors Account Owner",
  "type": "BuiltInRole",
  "description": "Lets you manage spatial anchors in your account, including deleting them",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/delete",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/write"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-12-21T17:57:43.5489832Z",
  "updatedOn": "2019-02-13T06:15:31.8572222Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Spatial Anchors Account Reader",
  "type": "BuiltInRole",
  "description": "Lets you locate and read properties of spatial anchors in your account",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-12-21T17:57:42.9271004Z",
  "updatedOn": "2019-02-13T06:16:15.3170663Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "SQL DB Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Sql/locations/*/read",
        "Microsoft.Sql/servers/databases/*",
        "Microsoft.Sql/servers/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read"
      ],
      "notActions": [
        "Microsoft.Sql/servers/databases/ledgerDigestUploads/write",
        "Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action",
        "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditRecords/read",
        "Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
        "Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
        "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/securityAlertPolicies/*",
        "Microsoft.Sql/servers/databases/securityMetrics/*",
        "Microsoft.Sql/servers/databases/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
        "Microsoft.Sql/servers/vulnerabilityAssessments/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2021-06-09T20:32:10.4467708Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "SQL Managed Instance Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage SQL Managed Instances and required network configuration, but can’t give access to others.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Network/networkSecurityGroups/*",
        "Microsoft.Network/routeTables/*",
        "Microsoft.Sql/locations/*/read",
        "Microsoft.Sql/locations/instanceFailoverGroups/*",
        "Microsoft.Sql/managedInstances/*",
        "Microsoft.Support/*",
        "Microsoft.Network/virtualNetworks/subnets/*",
        "Microsoft.Network/virtualNetworks/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read"
      ],
      "notActions": [
        "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete",
        "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-12-10T22:57:14.2937983Z",
  "updatedOn": "2020-09-23T23:26:54.2667459Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "SQL Security Manager",
  "type": "BuiltInRole",
  "description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Sql/locations/administratorAzureAsyncOperation/read",
        "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*",
        "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/auditingSettings/*",
        "Microsoft.Sql/servers/extendedAuditingSettings/read",
        "Microsoft.Sql/servers/databases/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditRecords/read",
        "Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
        "Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
        "Microsoft.Sql/servers/databases/read",
        "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/read",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/read",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/tables/read",
        "Microsoft.Sql/servers/databases/securityAlertPolicies/*",
        "Microsoft.Sql/servers/databases/securityMetrics/*",
        "Microsoft.Sql/servers/databases/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/transparentDataEncryption/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
        "Microsoft.Sql/servers/devOpsAuditingSettings/*",
        "Microsoft.Sql/servers/firewallRules/*",
        "Microsoft.Sql/servers/read",
        "Microsoft.Sql/servers/securityAlertPolicies/*",
        "Microsoft.Sql/servers/vulnerabilityAssessments/*",
        "Microsoft.Support/*",
        "Microsoft.Sql/servers/azureADOnlyAuthentications/*",
        "Microsoft.Sql/managedInstances/read",
        "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*",
        "Microsoft.Security/sqlVulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/administrators/read",
        "Microsoft.Sql/servers/administrators/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-06-16T18:44:40.4607572Z",
  "updatedOn": "2021-03-08T21:18:46.2003218Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "SQL Server Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Sql/locations/*/read",
        "Microsoft.Sql/servers/*",
        "Microsoft.Support/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read"
      ],
      "notActions": [
        "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditRecords/read",
        "Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
        "Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
        "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/securityAlertPolicies/*",
        "Microsoft.Sql/servers/databases/securityMetrics/*",
        "Microsoft.Sql/servers/databases/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
        "Microsoft.Sql/servers/devOpsAuditingSettings/*",
        "Microsoft.Sql/servers/extendedAuditingSettings/*",
        "Microsoft.Sql/servers/securityAlertPolicies/*",
        "Microsoft.Sql/servers/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/azureADOnlyAuthentications/delete",
        "Microsoft.Sql/servers/azureADOnlyAuthentications/write"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2021-03-08T21:19:28.9102955Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Storage Account Backup Contributor Role",
  "type": "BuiltInRole",
  "description": "Storage Account Backup Contributors are allowed to perform backup and restore of Storage Account.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Authorization/locks/read",
        "Microsoft.Authorization/locks/write",
        "Microsoft.Authorization/locks/delete",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/operations/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/read",
        "Microsoft.Storage/storageAccounts/blobServices/write",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/restoreBlobRanges/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-11-02T23:32:50.4203469Z",
  "updatedOn": "2020-11-18T22:53:07.0632395Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Storage Account Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-06-02T00:18:27.3542698Z",
  "updatedOn": "2019-05-29T20:56:33.9582501Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Storage Account Key Operator Service Role",
  "type": "BuiltInRole",
  "description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/regeneratekey/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-04-13T18:26:11.577057Z",
  "updatedOn": "2017-04-13T20:57:14.5990198Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Storage Blob Data Contributor",
  "type": "BuiltInRole",
  "description": "Allows for read, write and delete access to Azure Storage blob containers and data",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-12-21T00:01:24.7972312Z",
  "updatedOn": "2021-02-04T07:04:50.1529191Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Storage Blob Data Owner",
  "type": "BuiltInRole",
  "description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/*",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-12-04T07:02:58.2775257Z",
  "updatedOn": "2019-07-16T21:30:33.7002563Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Storage Blob Data Reader",
  "type": "BuiltInRole",
  "description": "Allows for read access to Azure Storage blob containers and data",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-12-21T00:01:24.7972312Z",
  "updatedOn": "2019-07-15T22:01:25.5409721Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Storage Blob Delegator",
  "type": "BuiltInRole",
  "description": "Allows for generation of a user delegation key which can be used to sign SAS tokens",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-07-23T00:51:16.3376761Z",
  "updatedOn": "2019-07-23T01:14:31.8778475Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Storage File Data SMB Share Contributor",
  "type": "BuiltInRole",
  "description": "Allows for read, write, and delete access in Azure Storage file shares over SMB",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-07-01T20:54:35.483431Z",
  "updatedOn": "2019-08-07T01:05:24.4309872Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Storage File Data SMB Share Elevated Contributor",
  "type": "BuiltInRole",
  "description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-08-07T01:35:36.9935457Z",
  "updatedOn": "2019-08-07T01:35:36.9935457Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Storage File Data SMB Share Reader",
  "type": "BuiltInRole",
  "description": "Allows for read access to Azure File Share over SMB",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-07-01T20:19:31.8620471Z",
  "updatedOn": "2019-08-07T01:00:41.9223409Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Storage Queue Data Contributor",
  "type": "BuiltInRole",
  "description": "Allows for read, write, and delete access to Azure Storage queues and queue messages",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/delete",
        "Microsoft.Storage/storageAccounts/queueServices/queues/read",
        "Microsoft.Storage/storageAccounts/queueServices/queues/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-12-21T00:01:24.7972312Z",
  "updatedOn": "2021-01-25T01:32:24.1141692Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Storage Queue Data Message Processor",
  "type": "BuiltInRole",
  "description": "Allows for peek, receive, and delete access to Azure Storage queue messages",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-01-28T22:27:04.8947111Z",
  "updatedOn": "2019-03-05T22:05:46.1259125Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Storage Queue Data Message Sender",
  "type": "BuiltInRole",
  "description": "Allows for sending of Azure Storage queue messages",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-01-28T22:28:34.7459724Z",
  "updatedOn": "2019-03-05T22:11:49.6383892Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Storage Queue Data Reader",
  "type": "BuiltInRole",
  "description": "Allows for read access to Azure Storage queues and queue messages",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-12-21T00:01:24.7972312Z",
  "updatedOn": "2019-03-05T22:17:32.1779262Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Storage Table Data Contributor",
  "type": "BuiltInRole",
  "description": "Allows for read, write and delete access to Azure Storage tables and entities",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/read",
        "Microsoft.Storage/storageAccounts/tableServices/tables/write",
        "Microsoft.Storage/storageAccounts/tableServices/tables/delete"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/write",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-06-15T06:51:59.820761Z",
  "updatedOn": "2021-06-15T06:51:59.820761Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Storage Table Data Reader",
  "type": "BuiltInRole",
  "description": "Allows for read access to Azure Storage tables and entities",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-06-15T06:40:54.9150717Z",
  "updatedOn": "2021-06-15T06:40:54.9150717Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Stream Analytics Query Tester",
  "type": "BuiltInRole",
  "description": "Lets you perform query testing without creating a stream analytics job first",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.StreamAnalytics/locations/TestQuery/action",
        "Microsoft.StreamAnalytics/locations/OperationResults/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-04-20T17:33:24.572787Z",
  "updatedOn": "2021-08-06T01:50:49.9913401Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Support Request Contributor",
  "type": "BuiltInRole",
  "description": "Lets you create and manage Support requests",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2017-06-22T22:25:37.8053068Z",
  "updatedOn": "2017-06-23T01:06:24.2399631Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Tag Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage tags on entities, without providing access to the entities themselves.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/resourceGroups/resources/read",
        "Microsoft.Resources/subscriptions/resources/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*",
        "Microsoft.Resources/tags/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2020-02-18T23:19:19.2977644Z",
  "updatedOn": "2020-02-19T00:04:58.9214962Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false true 1 /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/1dd61049-04b7-4058-af49-01f9b83159b2
{
  "properties": {
    "roleName": "Task4638Role",
    "type": "CustomRole",
    "description": "",
    "assignableScopes": [
      "/subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
          "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
          "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
          "Microsoft.Resources/subscriptions/resourcegroups/resources/read"
        ],
        "notActions": []
      }
    ],
    "createdOn": "2021-01-25T22:22:09.7242156Z",
    "updatedOn": "2021-01-25T22:22:09.7242156Z",
    "createdBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149",
    "updatedBy": "b790b1e1-6f46-488b-8c5a-708b0db9a149"
  },
  "id": "/subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleDefinitions/8808ebf9-4602-4635-a9b8-6c0f002695be",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "8808ebf9-4602-4635-a9b8-6c0f002695be"
}
Custom false false 0 n/a
{
  "roleName": "Test Base Reader",
  "type": "BuiltInRole",
  "description": "Let you view and download packages and test results.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.TestBase/testBaseAccounts/packages/testResults/getDownloadUrl/action",
        "Microsoft.TestBase/testBaseAccounts/packages/testResults/getVideoDownloadUrl/action",
        "Microsoft.TestBase/testBaseAccounts/packages/getDownloadUrl/action",
        "Microsoft.TestBase/*/read",
        "Microsoft.TestBase/testBaseAccounts/customerEvents/write",
        "Microsoft.TestBase/testBaseAccounts/customerEvents/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-05-11T23:41:33.1038367Z",
  "updatedOn": "2021-08-05T17:31:17.3235039Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "properties": {
    "roleName": "testRole3366",
    "type": "CustomRole",
    "description": "test custom role requestId 3366",
    "assignableScopes": [
      "/subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f"
    ],
    "permissions": [
      {
        "actions": [
          "*"
        ],
        "notActions": [
          "Microsoft.Authorization/*/Write",
          "Microsoft.Authorization/elevateAccess/Action",
          "Microsoft.Blueprint/blueprintAssignments/write",
          "Microsoft.Blueprint/blueprintAssignments/delete",
          "Microsoft.Compute/galleries/share/action"
        ]
      }
    ],
    "createdOn": "2021-07-18T15:22:38.3553982Z",
    "updatedOn": "2021-07-19T19:45:44.3902957Z",
    "createdBy": "acf4c68f-7b15-4d70-935b-26116fc2426a",
    "updatedBy": "c64d2776-a210-428f-b54f-a4a5dd7f8ef8"
  },
  "id": "/subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleDefinitions/f548f1ea-48f1-4a74-9061-b5dacacf514a",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "f548f1ea-48f1-4a74-9061-b5dacacf514a"
}
Custom false false 0 n/a
{
  "properties": {
    "roleName": "testRole3367",
    "type": "CustomRole",
    "description": "testing only",
    "assignableScopes": [
      "/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466"
    ],
    "permissions": [
      {
        "actions": [
          "*/read"
        ],
        "notActions": []
      }
    ],
    "createdOn": "2021-08-04T15:34:15.7913717Z",
    "updatedOn": "2021-08-04T15:34:15.7913717Z",
    "createdBy": "acf4c68f-7b15-4d70-935b-26116fc2426a",
    "updatedBy": "acf4c68f-7b15-4d70-935b-26116fc2426a"
  },
  "id": "/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/providers/Microsoft.Authorization/roleDefinitions/f7028056-3a12-43ac-a499-0d1844a02240",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "f7028056-3a12-43ac-a499-0d1844a02240"
}
Custom false false 0 n/a
{
  "properties": {
    "roleName": "testRole3368",
    "type": "CustomRole",
    "description": "testing only",
    "assignableScopes": [
      "/providers/microsoft.management/managementgroups/esjhdev"
    ],
    "permissions": [
      {
        "actions": [
          "*/read"
        ],
        "notActions": []
      }
    ],
    "createdOn": "2021-08-04T15:36:21.8771946Z",
    "updatedOn": "2021-08-04T15:36:21.8771946Z",
    "createdBy": "acf4c68f-7b15-4d70-935b-26116fc2426a",
    "updatedBy": "acf4c68f-7b15-4d70-935b-26116fc2426a"
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/08a2d627-a94e-461e-8350-432b457d00a3",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "08a2d627-a94e-461e-8350-432b457d00a3"
}
Custom false false 0 n/a
{
  "roleName": "Traffic Manager Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage Traffic Manager profiles, but does not let you control who has access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/trafficManagerProfiles/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-10-15T23:33:25.9730842Z",
  "updatedOn": "2016-05-31T23:13:44.1458854Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "User Access Administrator",
  "type": "BuiltInRole",
  "description": "Lets you manage user access to Azure resources.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Authorization/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2019-02-05T21:24:12.6807454Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false true 3 /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1, /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/6bbd9ae3-1189-40bb-8170-7e8674b79159, /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/70e14253-25d3-447f-9356-ac32985062a4
{
  "roleName": "Virtual Machine Administrator Login",
  "type": "BuiltInRole",
  "description": "View Virtual Machines in the portal and login as administrator",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Compute/virtualMachines/*/read",
        "Microsoft.HybridCompute/machines/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Compute/virtualMachines/login/action",
        "Microsoft.Compute/virtualMachines/loginAsAdmin/action",
        "Microsoft.HybridCompute/machines/login/action",
        "Microsoft.HybridCompute/machines/loginAsAdmin/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-02-09T18:36:13.3315744Z",
  "updatedOn": "2021-07-30T19:58:47.4481268Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Virtual Machine Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/availabilitySets/*",
        "Microsoft.Compute/locations/*",
        "Microsoft.Compute/virtualMachines/*",
        "Microsoft.Compute/virtualMachineScaleSets/*",
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/disks/delete",
        "Microsoft.DevTestLab/schedules/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/applicationGateways/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
        "Microsoft.Network/loadBalancers/probes/join/action",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/locations/*",
        "Microsoft.Network/networkInterfaces/*",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/publicIPAddresses/join/action",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.RecoveryServices/locations/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/write",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/Vaults/write",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.SqlVirtualMachine/*",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-06-02T00:18:27.3542698Z",
  "updatedOn": "2020-02-03T19:38:21.2170228Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Virtual Machine User Login",
  "type": "BuiltInRole",
  "description": "View Virtual Machines in the portal and login as a regular user.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Compute/virtualMachines/*/read",
        "Microsoft.HybridCompute/machines/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Compute/virtualMachines/login/action",
        "Microsoft.HybridCompute/machines/login/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2018-02-09T18:36:13.3315744Z",
  "updatedOn": "2021-07-30T20:00:01.2397508Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Web Plan Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage the web plans for websites, but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Web/serverFarms/*",
        "Microsoft.Web/hostingEnvironments/Join/Action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-02-02T21:55:09.8806423Z",
  "updatedOn": "2019-03-26T18:17:34.5018645Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Web PubSub Service Owner (Preview)",
  "type": "BuiltInRole",
  "description": "Full access to Azure Web PubSub Service REST APIs",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/WebPubSub/clientConnection/read",
        "Microsoft.SignalRService/WebPubSub/clientConnection/send/action",
        "Microsoft.SignalRService/WebPubSub/clientConnection/write",
        "Microsoft.SignalRService/WebPubSub/group/read",
        "Microsoft.SignalRService/WebPubSub/group/send/action",
        "Microsoft.SignalRService/WebPubSub/group/write",
        "Microsoft.SignalRService/WebPubSub/hub/send/action",
        "Microsoft.SignalRService/WebPubSub/user/read",
        "Microsoft.SignalRService/WebPubSub/user/send/action"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-03-24T09:10:11.833518Z",
  "updatedOn": "2021-03-24T09:28:41.8434072Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Web PubSub Service Reader (Preview)",
  "type": "BuiltInRole",
  "description": "Read-only access to Azure Web PubSub Service REST APIs",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/WebPubSub/clientConnection/read",
        "Microsoft.SignalRService/WebPubSub/group/read",
        "Microsoft.SignalRService/WebPubSub/user/read"
      ],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-03-24T09:11:12.6235436Z",
  "updatedOn": "2021-03-24T09:30:51.2337584Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin true false 0 n/a
{
  "roleName": "Website Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage websites (not web plans), but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/components/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Web/certificates/*",
        "Microsoft.Web/listSitesAssignedToHostName/read",
        "Microsoft.Web/serverFarms/join/action",
        "Microsoft.Web/serverFarms/read",
        "Microsoft.Web/sites/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2015-05-12T23:10:23.6193952Z",
  "updatedOn": "2019-02-05T21:24:46.9407288Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Workbook Contributor",
  "type": "BuiltInRole",
  "description": "Can save shared workbooks.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Insights/workbooks/write",
        "Microsoft.Insights/workbooks/delete",
        "Microsoft.Insights/workbooks/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-08-28T20:59:42.4820277Z",
  "updatedOn": "2020-01-22T00:05:20.938721Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "Workbook Reader",
  "type": "BuiltInRole",
  "description": "Can read workbooks.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "microsoft.insights/workbooks/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2019-08-28T20:56:17.680814Z",
  "updatedOn": "2019-08-28T21:43:05.0202124Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a
{
  "roleName": "WorkloadBuilder Migration Agent Role",
  "type": "BuiltInRole",
  "description": "WorkloadBuilder Migration Agent Role.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.WorkloadBuilder/migrationAgents/Read",
        "Microsoft.WorkloadBuilder/migrationAgents/Write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "createdOn": "2021-03-11T17:07:20.0828003Z",
  "updatedOn": "2021-03-11T17:07:20.0828003Z",
  "createdBy": null,
  "updatedBy": null
}
Builtin false false 0 n/a

ScopeInsights

Highlight Management Group in HierarchyMap

Management Group Name: Tenant Root Group

Management Group Id: 896470ca-9c6e-4176-9b38-5a655403c638

Management Group Path: 896470ca-9c6e-4176-9b38-5a655403c638

10 ManagementGroups below this scope

2 Subscriptions below this scope

ASC Secure Score: Video , Blog , docs

No Management Group Diagnostic settings docs

   Download CSV semicolon | comma
ChargeType ResourceType Category ResourceCount Cost (1d) Currency Subscriptions
usage arm advanced threat protection 2 0.0043548012 EUR 2
usage microsoft.storage advanced threat protection 2 0.0000134928 EUR 1
usage microsoft.storage storage 2 0.000015601968 EUR 1
   Download CSV semicolon | comma
ResourceType Location Count
microsoft.automation/automationaccounts westeurope 1
microsoft.automation/automationaccounts/runbooks westeurope 1
microsoft.keyvault/vaults westeurope 1
microsoft.managedidentity/userassignedidentities westeurope 1
microsoft.network/networksecuritygroups northeurope 1
microsoft.network/networksecuritygroups westeurope 3
microsoft.network/networkwatchers westeurope 1
microsoft.network/virtualnetworks westeurope 1
microsoft.operationalinsights/workspaces westeurope 1
microsoft.operationsmanagement/solutions westeurope 10
microsoft.storage/storageaccounts northeurope 1
microsoft.storage/storageaccounts westeurope 1
   Download CSV semicolon | comma
ResourceType Resource Count Diagnostics capable Metrics Logs LogCategories
microsoft.automation/automationaccounts 1 True True True JobLogs, JobStreams, DscNodeStatus
microsoft.automation/automationaccounts/runbooks 1 False False False
microsoft.keyvault/vaults 1 True True True AuditEvent
microsoft.managedidentity/userassignedidentities 1 False False False
microsoft.network/networksecuritygroups 4 True False True NetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounter
microsoft.network/networkwatchers 1 False False False
microsoft.network/virtualnetworks 1 True True True VMProtectionAlerts
microsoft.operationalinsights/workspaces 1 True True True Audit
microsoft.operationsmanagement/solutions 10 False False False
microsoft.storage/storageaccounts 2 True True False

0 Policy assignments

0 PolicySet assignments

Policy Assignment Limit: 0/200

0 Custom Policy definitions scoped

0 Custom PolicySet definitions scoped

0 Blueprints scoped

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Scope Role RoleId Role Type Data Identity Displayname Identity SignInName Identity ObjectId Identity Type Applicability Applies through membership Group Details Role AssignmentId Related Policy Assignment CreatedOn CreatedBy
inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a

0 Subscriptions linked

Highlight Management Group in HierarchyMap

Management Group Name: ESJH

Management Group Id: ESJH

Management Group Path: 896470ca-9c6e-4176-9b38-5a655403c638/ESJH

7 ManagementGroups below this scope

2 Subscriptions below this scope

ASC Secure Score: Video , Blog , docs

No Management Group Diagnostic settings docs

   Download CSV semicolon | comma
ChargeType ResourceType Category ResourceCount Cost (1d) Currency Subscriptions
usage arm advanced threat protection 2 0.0043548012 EUR 2
usage microsoft.storage advanced threat protection 2 0.0000134928 EUR 1
usage microsoft.storage storage 2 0.000015601968 EUR 1
   Download CSV semicolon | comma
ResourceType Location Count
microsoft.automation/automationaccounts westeurope 1
microsoft.automation/automationaccounts/runbooks westeurope 1
microsoft.keyvault/vaults westeurope 1
microsoft.managedidentity/userassignedidentities westeurope 1
microsoft.network/networksecuritygroups northeurope 1
microsoft.network/networksecuritygroups westeurope 3
microsoft.network/networkwatchers westeurope 1
microsoft.network/virtualnetworks westeurope 1
microsoft.operationalinsights/workspaces westeurope 1
microsoft.operationsmanagement/solutions westeurope 10
microsoft.storage/storageaccounts northeurope 1
microsoft.storage/storageaccounts westeurope 1
   Download CSV semicolon | comma
ResourceType Resource Count Diagnostics capable Metrics Logs LogCategories
microsoft.automation/automationaccounts 1 True True True JobLogs, JobStreams, DscNodeStatus
microsoft.automation/automationaccounts/runbooks 1 False False False
microsoft.keyvault/vaults 1 True True True AuditEvent
microsoft.managedidentity/userassignedidentities 1 False False False
microsoft.network/networksecuritygroups 4 True False True NetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounter
microsoft.network/networkwatchers 1 False False False
microsoft.network/virtualnetworks 1 True True True VMProtectionAlerts
microsoft.operationalinsights/workspaces 1 True True True Audit
microsoft.operationsmanagement/solutions 10 False False False
microsoft.storage/storageaccounts 2 True True False
   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Inheritance ScopeExcluded Exemption applies Policy DisplayName PolicyId Type Category Effect Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
thisScope Mg false false Deploy Azure Defender settings in Azure Security Center. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 1 0 2 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Mg false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 1 0 2 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Mg false false Configure Log Analytics agent on Azure Arc enabled Linux servers /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Mg false false Configure Log Analytics agent on Azure Arc enabled Windows servers /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
   Download CSV semicolon | comma
Inheritance ScopeExcluded PolicySet DisplayName PolicySetId Type Category Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
thisScope Mg false Azure Security Benchmark /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 BuiltIn Security Center Default 22 16 12 0 0 none ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Mg false Deploy Diagnostic Settings to Azure Services /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics Custom Monitoring logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 4 0 7 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Mg false Enable Azure Monitor for VMs /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
thisScope Mg false Enable Azure Monitor for Virtual Machine Scale Sets /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149

Policy Assignment Limit: 8/200

   Download CSV semicolon | comma
Policy DisplayName PolicyId Category Policy effect Role definitions Unique assignments Used in PolicySets
Application Gateway should be deployed with WAF enabled /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-appgw-without-waf Network Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 0
Deny the creation of private DNS /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-private-dns-zones Network Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 0
Deny the creation of public IP /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicip Network Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 0
Deny vNet peering /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-erpeering Network Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 0
Deploy a default budget on subscriptions /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-budget Budget Fixed: DeployIfNotExists Contributor 0 0
Deploy an Azure DDoS Protection Standard plan /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-ddosprotection Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Network Contributor 0 0
Deploy Azure Defender settings in Azure Security Center. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Security Center Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Security Admin 1 (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security) 0
Deploy Azure Firewall Manager policy in the subscription /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-firewallpolicy Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Network Contributor 0 0
Deploy Diagnostic Settings for Activity Log to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 1 (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log) 0
Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-analysisservice Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for API Management to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-apimgmt Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-webserverfarm Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for App Service to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-website Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-applicationgateway Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Automation to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-aa Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-datalakestore Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-function Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Batch to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-batch Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-cdnendpoints Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-cognitiveservices Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Container Instances to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-aci Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Container Registry to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-acr Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-cosmosdb Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Data Factory to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-datafactory Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-dlanalytics Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-mysql Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-postgresql Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Databricks to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-databricks Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventgridsub Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventgridsystemtopic Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventgridtopic Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventhub Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-expressroute Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Firewall to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-firewall Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Front Door to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-frontdoor Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for HDInsight to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-hdinsight Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-iothub Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Key Vault to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-keyvault Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-aks Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-loadbalancer Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-logicappsise Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Logic Apps Workflow runtime to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-logicappswf Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-mlworkspace Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for MariaDB to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-mariadb Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-nic Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-networksecuritygroups Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-powerbiembedded Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-publicip Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Recovery Services vaults to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-recoveryvault Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-rediscache Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Relay to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-relay Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Search Services to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-searchservices Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-servicebus Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for SignalR to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-signalr Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-sqldbs Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-sqlelasticpools Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-sqlmi Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-streamanalytics Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-timeseriesinsights Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-trafficmanager Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-vmss Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-vm Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-virtualnetwork Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-vnetgw Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 1 (Deploy Diagnostic Settings to Azure Services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics)
Deploy DNS Zone Group for Key Vault Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-keyvault-privateendpoint Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Private DNS Zone Contributor 0 0
Deploy DNS Zone Group for SQL Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-sql-privateendpoint Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Private DNS Zone Contributor 0 0
Deploy DNS Zone Group for Storage-Blob Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-table-privateendpoint Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Private DNS Zone Contributor 0 0
Deploy DNS Zone Group for Storage-File Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-file-privateendpoint Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Private DNS Zone Contributor 0 0
Deploy DNS Zone Group for Storage-Queue Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-queue-privateendpoint Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Private DNS Zone Contributor 0 0
Deploy DNS Zone Group for Storage-Blob Private Endpoint /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-dnszonegroup-for-blob-privateendpoint Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Private DNS Zone Contributor 0 0
Deploy spoke network with configuration to hub network based on ipam configuration object /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-vnet Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Network Contributor 0 0
Deploy SQL database auditing settings /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-auditingsettings SQL Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled SQL Security Manager 0 1 (Deploy SQL Database built-in SQL security configuration (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-sql-security)
Deploy SQL Database security Alert Policies configuration with email admin accounts /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-securityalertpolicies SQL Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled SQL Security Manager 0 1 (Deploy SQL Database built-in SQL security configuration (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-sql-security)
Deploy SQL Database Transparent Data Encryption /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-tde SQL Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled SQL Security Manager 0 1 (Deploy SQL Database built-in SQL security configuration (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-sql-security)
Deploy SQL Database vulnerability Assessments /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-vulnerabilityassessments SQL Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled SQL Security Manager, Monitoring Contributor 0 1 (Deploy SQL Database built-in SQL security configuration (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-sql-security)
Deploy the configurations to the Log Analytics in the subscription /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-la-config Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 0
Deploy the Log Analytics in the subscription /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-log-analytics Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 1 (/providers/microsoft.management/managementgroups/esjh-management/providers/microsoft.authorization/policyassignments/deploy-log-analytics) 0
Deploy the Virtual WAN in the specific region /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-vwan Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Network Contributor 0 0
Deploy Virtual Hub network with Virtual Wan and Gateway and Firewall configured. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-vhub Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Network Contributor 0 0
Deploy Virtual Network to be used as hub virtual network in desired region /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-hub Network Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Network Contributor 0 0
Deploy Windows Domain Join Extension with keyvault configuration /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-windows-domainjoin Guest Configuration Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Virtual Machine Contributor 0 0
Deploys NSG flow logs and traffic analytics /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-nsg-flowlogs Monitoring Default: DeployIfNotExists; Allowed: DeployIfNotExists,Disabled Monitoring Contributor, Log Analytics Contributor 0 0
Deploys virtual network peering to hub /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-vnet-hubspoke Network Fixed: deployIfNotExists Contributor 0 0
KeyVault SoftDelete should be enabled /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/append-kv-softdelete Key Vault Fixed: append n/a 0 0
No child resources in Automation Account /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-aa-child-resources Automation Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 0
Public network access on AKS API should be disabled /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-aks Kubernetes Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints)
Public network access on Azure SQL Database should be disabled /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-sql SQL Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints)
Public network access onStorage accounts should be disabled /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-storage Storage Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints)
Public network access should be disabled for CosmosDB /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-cosmosdb SQL Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints)
Public network access should be disabled for KeyVault /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-keyvault Key Vault Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints)
Public network access should be disabled for MariaDB /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-mariadb SQL Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints)
Public network access should be disabled for MySQL /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-mysql SQL Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints)
Public network access should be disabled for PostgreSql /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-postgresql SQL Default: Deny; Allowed: Audit,Deny,Disabled n/a 0 1 (Public network access should be disabled for PAAS services (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints)
RDP access from the Internet should be blocked /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-rdp-from-internet Network Default: Deny; Allowed: Audit,Deny,Disabled n/a 1 (/providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-rdp-from-internet) 0
Subnets should have a Network Security Group /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-subnet-without-nsg Network Default: Deny; Allowed: Audit,Deny,Disabled n/a 1 (/providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-subnet-without-nsg) 0
   Download CSV semicolon | comma
PolicySet DisplayName PolicySetId Category Unique assignments Policies Used
Deploy Diagnostic Settings to Azure Services /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics Monitoring 1 (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag) 55 (Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-analysisservice), Deploy Diagnostic Settings for API Management to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-apimgmt), Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-webserverfarm), Deploy Diagnostic Settings for App Service to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-website), Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-applicationgateway), Deploy Diagnostic Settings for Automation to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-aa), Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-datalakestore), Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-function), Deploy Diagnostic Settings for Batch to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-batch), Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-cdnendpoints), Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-cognitiveservices), Deploy Diagnostic Settings for Container Instances to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-aci), Deploy Diagnostic Settings for Container Registry to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-acr), Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-cosmosdb), Deploy Diagnostic Settings for Data Factory to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-datafactory), Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-dlanalytics), Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-mysql), Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-postgresql), Deploy Diagnostic Settings for Databricks to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-databricks), Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventgridsub), Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventgridsystemtopic), Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventgridtopic), Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-eventhub), Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-expressroute), Deploy Diagnostic Settings for Firewall to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-firewall), Deploy Diagnostic Settings for Front Door to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-frontdoor), Deploy Diagnostic Settings for HDInsight to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-hdinsight), Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-iothub), Deploy Diagnostic Settings for Key Vault to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-keyvault), Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-aks), Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-loadbalancer), Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-logicappsise), Deploy Diagnostic Settings for Logic Apps Workflow runtime to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-logicappswf), Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-mlworkspace), Deploy Diagnostic Settings for MariaDB to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-mariadb), Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-nic), Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-networksecuritygroups), Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-powerbiembedded), Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-publicip), Deploy Diagnostic Settings for Recovery Services vaults to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-recoveryvault), Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-rediscache), Deploy Diagnostic Settings for Relay to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-relay), Deploy Diagnostic Settings for Search Services to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-searchservices), Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-servicebus), Deploy Diagnostic Settings for SignalR to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-signalr), Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-sqldbs), Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-sqlelasticpools), Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-sqlmi), Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-streamanalytics), Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-timeseriesinsights), Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-trafficmanager), Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-vmss), Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-vm), Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-virtualnetwork), Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-vnetgw))
Deploy SQL Database built-in SQL security configuration /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-sql-security SQL 0 4 (Deploy SQL database auditing settings (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-auditingsettings), Deploy SQL Database security Alert Policies configuration with email admin accounts (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-securityalertpolicies), Deploy SQL Database Transparent Data Encryption (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-tde), Deploy SQL Database vulnerability Assessments (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-sql-vulnerabilityassessments))
Public network access should be disabled for PAAS services /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deny-publicendpoints Network 0 8 (Public network access on AKS API should be disabled (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-aks), Public network access on Azure SQL Database should be disabled (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-sql), Public network access onStorage accounts should be disabled (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-storage), Public network access should be disabled for CosmosDB (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-cosmosdb), Public network access should be disabled for KeyVault (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-keyvault), Public network access should be disabled for MariaDB (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-mariadb), Public network access should be disabled for MySQL (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-mysql), Public network access should be disabled for PostgreSql (/providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-publicendpoint-postgresql))

0 Blueprints scoped

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Scope Role RoleId Role Type Data Identity Displayname Identity SignInName Identity ObjectId Identity Type Applicability Applies through membership Group Details Role AssignmentId Related Policy Assignment CreatedOn CreatedBy
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)

0 Subscriptions linked

Highlight Management Group in HierarchyMap

Management Group Name: ESJH-decommissioned

Management Group Id: ESJH-decommissioned

Management Group Path: 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-decommissioned

0 ManagementGroups below this scope

0 Subscriptions below this scope

ASC Secure Score: Video , Blog , docs

No Management Group Diagnostic settings docs

No Consumption data available for Subscriptions under this ManagementGroup

0 ResourceTypes (all Subscriptions below this scope)

0 ResourceTypes Diagnostics capable (all Subscriptions below this scope)

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Inheritance ScopeExcluded Exemption applies Policy DisplayName PolicyId Type Category Effect Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
   Download CSV semicolon | comma
Inheritance ScopeExcluded PolicySet DisplayName PolicySetId Type Category Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
inherited ESJH false Azure Security Benchmark /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 BuiltIn Security Center Default 0 0 0 0 0 none ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Deploy Diagnostic Settings to Azure Services /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics Custom Monitoring logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Enable Azure Monitor for VMs /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
inherited ESJH false Enable Azure Monitor for Virtual Machine Scale Sets /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149

Policy Assignment Limit: 0/200

0 Custom Policy definitions scoped

0 Custom PolicySet definitions scoped

0 Blueprints scoped

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Scope Role RoleId Role Type Data Identity Displayname Identity SignInName Identity ObjectId Identity Type Applicability Applies through membership Group Details Role AssignmentId Related Policy Assignment CreatedOn CreatedBy
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Security Reader 39bc4728-0917-49c7-9d2c-d95423bc2eb4 Builtin false Jesse James Jesse.James@AzGovViz.onmicrosoft.com 6f71f3b7-98e1-4821-8116-13b41476ef84 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-decommissioned/providers/Microsoft.Authorization/roleAssignments/9bdf3098-8e69-4e98-bd8c-22b991783b10 none 2021-06-16 09:52:59 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-decommissioned/providers/Microsoft.Authorization/roleAssignments/81bb9ace-a96d-47ab-b9a2-8952e655aa0c none 2021-01-10 20:56:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)

0 Subscriptions linked

Highlight Management Group in HierarchyMap

Management Group Name: ESJH-landingzones

Management Group Id: ESJH-landingzones

Management Group Path: 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-landingzones

1 ManagementGroups below this scope

1 Subscriptions below this scope

ASC Secure Score: Video , Blog , docs

No Management Group Diagnostic settings docs

   Download CSV semicolon | comma
ChargeType ResourceType Category ResourceCount Cost (1d) Currency Subscriptions
usage arm advanced threat protection 1 0.0011097828 EUR 1
usage microsoft.storage advanced threat protection 2 0.0000134928 EUR 1
usage microsoft.storage storage 2 0.000015601968 EUR 1
   Download CSV semicolon | comma
ResourceType Location Count
microsoft.keyvault/vaults westeurope 1
microsoft.managedidentity/userassignedidentities westeurope 1
microsoft.network/networksecuritygroups westeurope 2
microsoft.network/networkwatchers westeurope 1
microsoft.network/virtualnetworks westeurope 1
microsoft.storage/storageaccounts northeurope 1
microsoft.storage/storageaccounts westeurope 1
   Download CSV semicolon | comma
ResourceType Resource Count Diagnostics capable Metrics Logs LogCategories
microsoft.keyvault/vaults 1 True True True AuditEvent
microsoft.managedidentity/userassignedidentities 1 False False False
microsoft.network/networksecuritygroups 2 True False True NetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounter
microsoft.network/networkwatchers 1 False False False
microsoft.network/virtualnetworks 1 True True True VMProtectionAlerts
microsoft.storage/storageaccounts 2 True True False
   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Inheritance ScopeExcluded Exemption applies Policy DisplayName PolicyId Type Category Effect Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
thisScope Mg false false Network interfaces should disable IP forwarding /providers/microsoft.authorization/policydefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900 BuiltIn Network deny Default 0 0 0 0 0 none Deny-IP-Forwarding /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-ip-forwarding n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Mg false false Kubernetes clusters should not allow container privilege escalation /providers/microsoft.authorization/policydefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Deny-Privileged-Escalations-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-priv-esc-aks n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Mg false false Kubernetes cluster should not allow privileged containers /providers/microsoft.authorization/policydefinitions/95edb821-ddaf-4404-9732-666045e056b4 BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Deny-Privileged-Containers-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-privileged-aks n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Mg false false RDP access from the Internet should be blocked /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-rdp-from-internet Custom Network Deny Default 0 0 0 0 0 none Deny-RDP-from-Internet /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-rdp-from-internet n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Mg false false Secure transfer to storage accounts should be enabled /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 BuiltIn Storage Audit Default 0 0 0 0 0 none Enforce-Secure-Storage /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-storage-http n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-01-25 22:26:59 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Mg false false Subnets should have a Network Security Group /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-subnet-without-nsg Custom Network Deny Default 1 0 1 0 0 none Deny-Subnet-Without-Nsg /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-subnet-without-nsg n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Mg false false Deploy Azure Policy Add-on to Azure Kubernetes Service clusters /providers/microsoft.authorization/policydefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7 BuiltIn Kubernetes deployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345) Deploy-AKS-Policy /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-aks-policy n/a 2021-01-10 20:58:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Mg false false Auditing on SQL server should be enabled /providers/microsoft.authorization/policydefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 BuiltIn SQL AuditIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6) Deploy-SQL-Audit /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-sql-db-auditing n/a 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Mg false false Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy /providers/microsoft.authorization/policydefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 BuiltIn Backup deployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5) Deploy-VM-Backup /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-vm-backup n/a 2021-01-10 20:58:34 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Mg false false Kubernetes clusters should be accessible only over HTTPS /providers/microsoft.authorization/policydefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Enforce-Https-Ingress-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-aks-https n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Mg false false Deploy SQL DB transparent data encryption /providers/microsoft.authorization/policydefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f BuiltIn SQL DeployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f) Deploy-SQL-Security /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-sql-encryption n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
   Download CSV semicolon | comma
Inheritance ScopeExcluded PolicySet DisplayName PolicySetId Type Category Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
inherited ESJH false Azure Security Benchmark /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 BuiltIn Security Center Default 21 17 8 0 0 none ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Deploy Diagnostic Settings to Azure Services /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics Custom Monitoring logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 3 0 4 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Enable Azure Monitor for VMs /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
inherited ESJH false Enable Azure Monitor for Virtual Machine Scale Sets /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149

Policy Assignment Limit: 11/200

0 Custom Policy definitions scoped

0 Custom PolicySet definitions scoped

0 Blueprints scoped

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Scope Role RoleId Role Type Data Identity Displayname Identity SignInName Identity ObjectId Identity Type Applicability Applies through membership Group Details Role AssignmentId Related Policy Assignment CreatedOn CreatedBy
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AKS-Policy n/a fb0a7498-393f-434d-aa93-2acd144f489f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-aks-policy (Deploy Azure Policy Add-on to Azure Kubernetes Service clusters) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-SQL-DB-Auditing n/a 4f3a2551-ea2f-43c6-9623-8950156d19b7 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-sql-db-auditing (Auditing on SQL server should be enabled) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Backup n/a e2511ca5-bcb3-4dbd-9d91-c18590c2a9d2 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-vm-backup (Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy) 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Enforce-SQL-Encryption n/a 34520a11-7b14-46a8-ac34-7d766959460a SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-sql-encryption (Deploy SQL DB transparent data encryption) 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/093ad67e-4eae-4536-aa0b-da4e09b47d88 none 2021-01-10 20:56:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
thisScope MG Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false 3rdPartyStaff n/a cb036073-f86b-46e1-9726-1eaccb62a678 Group direct 1 (Usr: 1, Grp: 0, SP: 0) /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3b6291a1-fc61-41d8-abff-43d04e35be62 none 2021-01-25 22:02:49 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Calamity Jane Calamity_Jane_AzGovViz.net#EXT#@AzGovViz.onmicrosoft.com 43b0f5e7-cb78-4e1a-b3da-1239647dfb74 User Guest indirect 3rdPartyStaff (cb036073-f86b-46e1-9726-1eaccb62a678) 1 (Usr: 1, Grp: 0, SP: 0) /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3b6291a1-fc61-41d8-abff-43d04e35be62 none 2021-01-25 22:02:49 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a

0 Subscriptions linked

Highlight Management Group in HierarchyMap

Default Management Group docs

Management Group Name: ESJH-online

Management Group Id: ESJH-online

Management Group Path: 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-landingzones/ESJH-online

0 ManagementGroups below this scope

1 Subscriptions below this scope

ASC Secure Score: Video , Blog , docs

No Management Group Diagnostic settings docs

   Download CSV semicolon | comma
ChargeType ResourceType Category ResourceCount Cost (1d) Currency Subscriptions
usage arm advanced threat protection 1 0.0011097828 EUR 1
usage microsoft.storage advanced threat protection 2 0.0000134928 EUR 1
usage microsoft.storage storage 2 0.000015601968 EUR 1
   Download CSV semicolon | comma
ResourceType Location Count
microsoft.keyvault/vaults westeurope 1
microsoft.managedidentity/userassignedidentities westeurope 1
microsoft.network/networksecuritygroups westeurope 2
microsoft.network/networkwatchers westeurope 1
microsoft.network/virtualnetworks westeurope 1
microsoft.storage/storageaccounts northeurope 1
microsoft.storage/storageaccounts westeurope 1
   Download CSV semicolon | comma
ResourceType Resource Count Diagnostics capable Metrics Logs LogCategories
microsoft.keyvault/vaults 1 True True True AuditEvent
microsoft.managedidentity/userassignedidentities 1 False False False
microsoft.network/networksecuritygroups 2 True False True NetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounter
microsoft.network/networkwatchers 1 False False False
microsoft.network/virtualnetworks 1 True True True VMProtectionAlerts
microsoft.storage/storageaccounts 2 True True False
   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Inheritance ScopeExcluded Exemption applies Policy DisplayName PolicyId Type Category Effect Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
inherited ESJH-landingzones false false Network interfaces should disable IP forwarding /providers/microsoft.authorization/policydefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900 BuiltIn Network deny Default 0 0 0 0 0 none Deny-IP-Forwarding /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-ip-forwarding n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Kubernetes clusters should not allow container privilege escalation /providers/microsoft.authorization/policydefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Deny-Privileged-Escalations-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-priv-esc-aks n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Kubernetes cluster should not allow privileged containers /providers/microsoft.authorization/policydefinitions/95edb821-ddaf-4404-9732-666045e056b4 BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Deny-Privileged-Containers-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-privileged-aks n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false RDP access from the Internet should be blocked /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-rdp-from-internet Custom Network Deny Default 0 0 0 0 0 none Deny-RDP-from-Internet /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-rdp-from-internet n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Secure transfer to storage accounts should be enabled /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 BuiltIn Storage Audit Default 0 0 0 0 0 none Enforce-Secure-Storage /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-storage-http n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-01-25 22:26:59 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Subnets should have a Network Security Group /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-subnet-without-nsg Custom Network Deny Default 1 0 1 0 0 none Deny-Subnet-Without-Nsg /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-subnet-without-nsg n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Deploy Azure Policy Add-on to Azure Kubernetes Service clusters /providers/microsoft.authorization/policydefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7 BuiltIn Kubernetes deployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345) Deploy-AKS-Policy /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-aks-policy n/a 2021-01-10 20:58:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Auditing on SQL server should be enabled /providers/microsoft.authorization/policydefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 BuiltIn SQL AuditIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6) Deploy-SQL-Audit /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-sql-db-auditing n/a 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy /providers/microsoft.authorization/policydefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 BuiltIn Backup deployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5) Deploy-VM-Backup /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-vm-backup n/a 2021-01-10 20:58:34 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Kubernetes clusters should be accessible only over HTTPS /providers/microsoft.authorization/policydefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Enforce-Https-Ingress-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-aks-https n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Deploy SQL DB transparent data encryption /providers/microsoft.authorization/policydefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f BuiltIn SQL DeployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f) Deploy-SQL-Security /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-sql-encryption n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
   Download CSV semicolon | comma
Inheritance ScopeExcluded PolicySet DisplayName PolicySetId Type Category Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
inherited ESJH false Azure Security Benchmark /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 BuiltIn Security Center Default 21 17 8 0 0 none ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Deploy Diagnostic Settings to Azure Services /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics Custom Monitoring logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 3 0 4 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Enable Azure Monitor for VMs /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
inherited ESJH false Enable Azure Monitor for Virtual Machine Scale Sets /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149

Policy Assignment Limit: 0/200

0 Custom Policy definitions scoped

0 Custom PolicySet definitions scoped

0 Blueprints scoped

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Scope Role RoleId Role Type Data Identity Displayname Identity SignInName Identity ObjectId Identity Type Applicability Applies through membership Group Details Role AssignmentId Related Policy Assignment CreatedOn CreatedBy
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AKS-Policy n/a fb0a7498-393f-434d-aa93-2acd144f489f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-aks-policy (Deploy Azure Policy Add-on to Azure Kubernetes Service clusters) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-SQL-DB-Auditing n/a 4f3a2551-ea2f-43c6-9623-8950156d19b7 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-sql-db-auditing (Auditing on SQL server should be enabled) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Backup n/a e2511ca5-bcb3-4dbd-9d91-c18590c2a9d2 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-vm-backup (Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy) 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Enforce-SQL-Encryption n/a 34520a11-7b14-46a8-ac34-7d766959460a SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-sql-encryption (Deploy SQL DB transparent data encryption) 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/093ad67e-4eae-4536-aa0b-da4e09b47d88 none 2021-01-10 20:56:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited ESJH-landingzones Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false 3rdPartyStaff n/a cb036073-f86b-46e1-9726-1eaccb62a678 Group direct 1 (Usr: 1, Grp: 0, SP: 0) /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3b6291a1-fc61-41d8-abff-43d04e35be62 none 2021-01-25 22:02:49 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited ESJH-landingzones Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Calamity Jane Calamity_Jane_AzGovViz.net#EXT#@AzGovViz.onmicrosoft.com 43b0f5e7-cb78-4e1a-b3da-1239647dfb74 User Guest indirect 3rdPartyStaff (cb036073-f86b-46e1-9726-1eaccb62a678) 1 (Usr: 1, Grp: 0, SP: 0) /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3b6291a1-fc61-41d8-abff-43d04e35be62 none 2021-01-25 22:02:49 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-online/providers/Microsoft.Authorization/roleAssignments/06ee6718-e394-4fcf-bbc2-cf358381ff67 none 2021-01-10 20:57:02 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
landingZone (4dfa3b56-55bf-4059-802a-24e44a4fb60f)

Highlight Subscription in HierarchyMap

Subscription Name: landingZone

Subscription Id: 4dfa3b56-55bf-4059-802a-24e44a4fb60f

Subscription Path: 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-landingzones/ESJH-online/4dfa3b56-55bf-4059-802a-24e44a4fb60f

State: Enabled

QuotaId: PayAsYouGo_2014-09-01

ASC Secure Score: n/a Video , Blog , docs

   Download CSV semicolon | comma
Diagnostic setting Target Target Id Administrative Alert Autoscale Policy Recommendation ResourceHealth Security ServiceHealth
subscriptionToLa LA /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 true true true true true true true true
   Download CSV semicolon | comma
Tag Name Tag Value
costCenter 4711
existingtag blaaa
testtag testvalue5
testtag2 blub
   Resource naming and tagging decision guide docs
   Download CSV semicolon | comma
Scope TagName Count
Resource costCenter 1
Resource existingtag 2
Resource ms-resource-usage 1
Resource Responsible 2
Resource tagKey1 2
Resource tagKey2 2
Resource testtag 1
Resource testtag2 2
Resource testtagbase 1
ResourceGroup existingtag 1
ResourceGroup Responsible 1
ResourceGroup testtag 1
ResourceGroup testtag2 1
Subscription costCenter 2
Subscription existingtag 1
Subscription testtag 1
Subscription testtag2 1
   Download CSV semicolon | comma
ChargeType ResourceType Category ResourceCount Cost (1d) Currency
usage arm advanced threat protection 1 0.0011097828 EUR
usage microsoft.storage advanced threat protection 2 0.0000134928 EUR
usage microsoft.storage storage 2 0.000015601968 EUR

793 Resource Groups | Limit: (793/980)

   Download CSV semicolon | comma
Provider State
Microsoft.Management Registered
microsoft.insights Registered
Microsoft.Security Registered
Microsoft.PolicyInsights Registered
Microsoft.Network Registered
Microsoft.Storage Registered
Microsoft.ManagedIdentity Registered
84codes.CloudAMQP Registered
Crypteron.DataSecurity Registering
Microsoft.AAD Registered
microsoft.aadiam Registered
Microsoft.Addons Registered
Microsoft.Advisor Registered
Microsoft.AgFoodPlatform Registered
Microsoft.AISupercomputer Registered
Microsoft.AlertsManagement Registered
Microsoft.AnalysisServices Registered
Microsoft.AnyBuild Registered
Microsoft.ApiManagement Registered
Microsoft.AppAssessment Registered
Microsoft.AppConfiguration Registered
Microsoft.AppPlatform Registered
Microsoft.Attestation Registered
Microsoft.Automanage Registered
Microsoft.Automation Registered
Microsoft.AutonomousDevelopmentPlatform Registered
Microsoft.AutonomousSystems Registered
Microsoft.AVS Registered
Microsoft.AzureActiveDirectory Registered
Microsoft.AzureArcData Registered
Microsoft.AzureCIS Registered
Microsoft.AzureData Registered
Microsoft.AzureSphere Registering
Microsoft.AzureStack Registered
Microsoft.AzureStackHCI Registered
Microsoft.BareMetalInfrastructure Registered
Microsoft.Batch Registered
Microsoft.Bing Registered
Microsoft.Blockchain Registered
Microsoft.BlockchainTokens Registered
Microsoft.Blueprint Registered
Microsoft.BotService Registered
Microsoft.Cache Registered
Microsoft.Capacity Registered
Microsoft.Cascade Registered
Microsoft.Cdn Registered
Microsoft.CertificateRegistration Registered
Microsoft.ChangeAnalysis Registered
Microsoft.Chaos Registered
Microsoft.ClassicCompute Registered
Microsoft.ClassicInfrastructureMigrate Registered
Microsoft.ClassicNetwork Registered
Microsoft.ClassicStorage Registered
Microsoft.Codespaces Registered
Microsoft.CognitiveServices Registered
Microsoft.Communication Registered
Microsoft.Compute Registered
Microsoft.ConfidentialLedger Registered
Microsoft.Confluent Registered
Microsoft.ConnectedCache Registered
Microsoft.ConnectedVehicle Registered
Microsoft.ConnectedVMwarevSphere Registered
Microsoft.ContainerInstance Registered
Microsoft.ContainerRegistry Registered
Microsoft.ContainerService Registered
Microsoft.CostManagementExports Registered
Microsoft.CustomerLockbox Registered
Microsoft.CustomProviders Registered
Microsoft.D365CustomerInsights Registered
Microsoft.DataBox Registered
Microsoft.DataBoxEdge Registered
Microsoft.Databricks Registered
Microsoft.DataCatalog Registered
Microsoft.DataCollaboration Registered
Microsoft.Datadog Registered
Microsoft.DataFactory Registered
Microsoft.DataLakeAnalytics Registered
Microsoft.DataLakeStore Registered
Microsoft.DataMigration Registered
Microsoft.DataProtection Registered
Microsoft.DataShare Registered
Microsoft.DBforMariaDB Registered
Microsoft.DBforMySQL Registered
Microsoft.DBforPostgreSQL Registered
Microsoft.DelegatedNetwork Registered
Microsoft.DeploymentManager Registered
Microsoft.DesktopVirtualization Registered
Microsoft.Devices Registered
Microsoft.DeviceUpdate Registered
Microsoft.DevOps Registered
Microsoft.DevTestLab Registered
Microsoft.Diagnostics Registered
Microsoft.DigitalTwins Registered
Microsoft.DocumentDB Registered
Microsoft.DomainRegistration Registered
Microsoft.Elastic Registered
Microsoft.EnterpriseKnowledgeGraph Registering
Microsoft.EventGrid Registered
Microsoft.EventHub Registered
Microsoft.Experimentation Registered
Microsoft.ExtendedLocation Registered
Microsoft.Falcon Registered
Microsoft.GuestConfiguration Registered
Microsoft.HanaOnAzure Registered
Microsoft.HardwareSecurityModules Registered
Microsoft.HDInsight Registered
Microsoft.HealthBot Registered
Microsoft.HealthcareApis Registered
Microsoft.HybridCompute Registered
Microsoft.HybridData Registered
Microsoft.HybridNetwork Registered
Microsoft.ImportExport Registered
Microsoft.IndustryDataLifecycle Registered
Microsoft.IntelligentITDigitalTwin Registered
Microsoft.IoTCentral Registered
Microsoft.IoTSecurity Registered
Microsoft.KeyVault Registered
Microsoft.Kubernetes Registered
Microsoft.KubernetesConfiguration Registered
Microsoft.Kusto Registered
Microsoft.LabServices Registered
Microsoft.Logic Registered
Microsoft.Logz Registered
Microsoft.MachineLearning Registered
Microsoft.MachineLearningServices Registered
Microsoft.Maintenance Registered
Microsoft.ManagedServices Registered
Microsoft.Maps Registered
Microsoft.Marketplace Registered
Microsoft.MarketplaceApps Registered
Microsoft.Media Registered
Microsoft.Migrate Registered
Microsoft.MixedReality Registered
Microsoft.NetApp Registered
Microsoft.NotificationHubs Registered
Microsoft.ObjectStore Registered
Microsoft.OffAzure Registered
Microsoft.OpenLogisticsPlatform Registered
Microsoft.OperationalInsights Registered
Microsoft.OperationsManagement Registered
Microsoft.Peering Registered
Microsoft.PowerBI Registered
Microsoft.PowerBIDedicated Registered
Microsoft.PowerPlatform Registered
Microsoft.ProjectBabylon Registered
Microsoft.ProviderHub Registered
Microsoft.Purview Registered
Microsoft.Quantum Registered
Microsoft.RecommendationsService Registered
Microsoft.RecoveryServices Registered
Microsoft.RedHatOpenShift Registered
Microsoft.Relay Registered
Microsoft.ResourceConnector Registered
Microsoft.ResourceHealth Registered
Microsoft.SaaS Registered
Microsoft.Scheduler Registering
Microsoft.ScVmm Registered
Microsoft.Search Registered
Microsoft.SecurityDetonation Registered
Microsoft.SecurityInsights Registered
Microsoft.ServiceBus Registered
Microsoft.ServiceFabric Registered
Microsoft.ServiceFabricMesh Registered
Microsoft.ServiceLinker Registered
Microsoft.ServicesHub Registered
Microsoft.SignalRService Registered
Microsoft.Singularity Registered
Microsoft.SoftwarePlan Registered
Microsoft.Solutions Registered
Microsoft.Sql Registered
Microsoft.SqlVirtualMachine Registered
Microsoft.StorageCache Registered
Microsoft.StoragePool Registered
Microsoft.StorageSync Registered
Microsoft.StorSimple Registered
Microsoft.StreamAnalytics Registered
Microsoft.Subscription Registered
Microsoft.Synapse Registered
Microsoft.TestBase Registered
Microsoft.TimeSeriesInsights Registered
Microsoft.VirtualMachineImages Registered
microsoft.visualstudio Registered
Microsoft.VMware Registered
Microsoft.VMwareCloudSimple Registered
Microsoft.VSOnline Registered
Microsoft.Web Registered
Microsoft.WindowsESU Registered
Microsoft.WindowsIoT Registered
Microsoft.WorkloadBuilder Registered
Microsoft.WorkloadMonitor Registered
Paraleap.CloudMonix Registered
Pokitdok.Platform Registering
RavenHq.Db Registered
Raygun.CrashReporting Registered
Sendgrid.Email Registered
Wandisco.Fusion Registered
Dynatrace.Observability NotRegistered
Microsoft.ADHybridHealthService Registered
Microsoft.Authorization Registered
Microsoft.AzurePercept NotRegistered
Microsoft.Billing Registered
Microsoft.ClassicSubscription Registered
Microsoft.CloudTest NotRegistered
Microsoft.CodeSigning NotRegistered
Microsoft.Commerce Registered
Microsoft.Consumption Registered
Microsoft.CostManagement Registered
Microsoft.Dashboard NotRegistered
Microsoft.EdgeOrder NotRegistered
Microsoft.Features Registered
Microsoft.Fidalgo NotRegistered
Microsoft.FluidRelay NotRegistered
Microsoft.MarketplaceNotifications NotRegistered
Microsoft.MarketplaceOrdering Registered
Microsoft.MobileNetwork NotRegistered
Microsoft.Portal Registered
Microsoft.Quota NotRegistered
Microsoft.ResourceGraph Registered
Microsoft.Resources Registered
Microsoft.Scom NotRegistered
Microsoft.SerialConsole Registered
microsoft.support Registered
Microsoft.VideoIndexer NotRegistered
NGINX.NGINXPLUS NotRegistered

0 Resource Locks docs

   Download CSV semicolon | comma
ResourceType Location Count
microsoft.keyvault/vaults westeurope 1
microsoft.managedidentity/userassignedidentities westeurope 1
microsoft.network/networksecuritygroups westeurope 2
microsoft.network/networkwatchers westeurope 1
microsoft.network/virtualnetworks westeurope 1
microsoft.storage/storageaccounts northeurope 1
microsoft.storage/storageaccounts westeurope 1
   Download CSV semicolon | comma
ResourceType Resource Count Diagnostics capable Metrics Logs LogCategories
microsoft.keyvault/vaults 1 True True True AuditEvent
microsoft.managedidentity/userassignedidentities 1 False False False
microsoft.network/networksecuritygroups 2 True False True NetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounter
microsoft.network/networkwatchers 1 False False False
microsoft.network/virtualnetworks 1 True True True VMProtectionAlerts
microsoft.storage/storageaccounts 2 True True False
   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Inheritance ScopeExcluded Exemption applies Policy DisplayName PolicyId Type Category Effect Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
inherited ESJH-landingzones false false Network interfaces should disable IP forwarding /providers/microsoft.authorization/policydefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900 BuiltIn Network deny Default 0 0 0 0 0 none Deny-IP-Forwarding /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-ip-forwarding n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Kubernetes clusters should not allow container privilege escalation /providers/microsoft.authorization/policydefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Deny-Privileged-Escalations-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-priv-esc-aks n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Kubernetes cluster should not allow privileged containers /providers/microsoft.authorization/policydefinitions/95edb821-ddaf-4404-9732-666045e056b4 BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Deny-Privileged-Containers-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-privileged-aks n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false RDP access from the Internet should be blocked /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-rdp-from-internet Custom Network Deny Default 0 0 0 0 0 none Deny-RDP-from-Internet /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-rdp-from-internet n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones true false Secure transfer to storage accounts should be enabled /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 BuiltIn Storage Audit Default 0 0 0 0 0 none Enforce-Secure-Storage /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-storage-http n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-01-25 22:26:59 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Subnets should have a Network Security Group /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deny-subnet-without-nsg Custom Network Deny Default 1 0 1 0 0 none Deny-Subnet-Without-Nsg /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deny-subnet-without-nsg n/a 2021-01-10 20:58:32 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Deploy Azure Policy Add-on to Azure Kubernetes Service clusters /providers/microsoft.authorization/policydefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7 BuiltIn Kubernetes deployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345) Deploy-AKS-Policy /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-aks-policy n/a 2021-01-10 20:58:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Auditing on SQL server should be enabled /providers/microsoft.authorization/policydefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 BuiltIn SQL AuditIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6) Deploy-SQL-Audit /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-sql-db-auditing n/a 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy /providers/microsoft.authorization/policydefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 BuiltIn Backup deployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5) Deploy-VM-Backup /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-vm-backup n/a 2021-01-10 20:58:34 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Kubernetes clusters should be accessible only over HTTPS /providers/microsoft.authorization/policydefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d BuiltIn Kubernetes deny effect=deny Default 0 0 0 0 0 none Enforce-Https-Ingress-AKS /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-aks-https n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones false false Deploy SQL DB transparent data encryption /providers/microsoft.authorization/policydefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f BuiltIn SQL DeployIfNotExists Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f) Deploy-SQL-Security /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-sql-encryption n/a 2021-01-10 20:58:33 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Sub false false [Deprecated]: Function App should only be accessible over HTTPS /providers/microsoft.authorization/policydefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55 BuiltIn Security Center AuditIfNotExists Default 0 0 0 0 0 none testDeprecatedAssignment /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/microsoft.authorization/policyassignments/bcdd1466e4fc5114b6e5f13d n/a 2021-07-18 15:09:28 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
thisScope Sub false false Audit virtual machines without disaster recovery configured /providers/microsoft.authorization/policydefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 BuiltIn Compute auditIfNotExists Default 0 0 0 0 0 none Audit virtual machines without disaster recovery configured /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/microsoft.authorization/policyassignments/bcee1466e4fc4114b5e5f03d Joe Dalton 2021-06-16 16:07:53 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
   Download CSV semicolon | comma
Inheritance ScopeExcluded PolicySet DisplayName PolicySetId Type Category Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
inherited ESJH false Azure Security Benchmark /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 BuiltIn Security Center Default 21 17 8 0 0 none ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Deploy Diagnostic Settings to Azure Services /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics Custom Monitoring logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 3 0 4 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Enable Azure Monitor for VMs /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
inherited ESJH false Enable Azure Monitor for Virtual Machine Scale Sets /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Sub false Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances /providers/microsoft.authorization/policysetdefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 BuiltIn Security Center Default 0 0 0 0 0 none ASC DataProtection (subscription: 4dfa3b56-55bf-4059-802a-24e44a4fb60f) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenter Security Center 2021-01-10 21:02:17 ObjectType: SP App EXT, ObjectDisplayName: Windows Azure Security Resource Provider, ObjectSignInName: n/a, ObjectId: 9ac4e379-ffb1-4e2c-ac89-3752d019abfd (rp)

Policy Assignment Limit: 3/200

0 Custom Policy definitions scoped

0 Custom PolicySet definitions scoped

0 Blueprints assigned

0 Blueprints scoped

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Scope Role RoleId Role Type Data Identity Displayname Identity SignInName Identity ObjectId Identity Type Applicability Applies through membership Group Details Role AssignmentId Related Policy Assignment CreatedOn CreatedBy
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AKS-Policy n/a fb0a7498-393f-434d-aa93-2acd144f489f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/4f80e55d-446d-5743-a173-5d189d196345 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-aks-policy (Deploy Azure Policy Add-on to Azure Kubernetes Service clusters) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-SQL-DB-Auditing n/a 4f3a2551-ea2f-43c6-9623-8950156d19b7 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/8085d5e6-c291-571e-bd96-a2eb4769f9e6 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-sql-db-auditing (Auditing on SQL server should be enabled) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Backup n/a e2511ca5-bcb3-4dbd-9d91-c18590c2a9d2 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/70486d4a-1ee2-5f70-bb58-b3bd79840ae5 /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/deploy-vm-backup (Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy) 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Enforce-SQL-Encryption n/a 34520a11-7b14-46a8-ac34-7d766959460a SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3df334e6-61c3-543a-b548-97586caf6d4f /providers/microsoft.management/managementgroups/esjh-landingzones/providers/microsoft.authorization/policyassignments/enforce-sql-encryption (Deploy SQL DB transparent data encryption) 2021-01-10 20:58:36 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-landingzones Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/093ad67e-4eae-4536-aa0b-da4e09b47d88 none 2021-01-10 20:56:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited ESJH-landingzones Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false 3rdPartyStaff n/a cb036073-f86b-46e1-9726-1eaccb62a678 Group direct 1 (Usr: 1, Grp: 0, SP: 0) /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3b6291a1-fc61-41d8-abff-43d04e35be62 none 2021-01-25 22:02:49 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited ESJH-landingzones Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Calamity Jane Calamity_Jane_AzGovViz.net#EXT#@AzGovViz.onmicrosoft.com 43b0f5e7-cb78-4e1a-b3da-1239647dfb74 User Guest indirect 3rdPartyStaff (cb036073-f86b-46e1-9726-1eaccb62a678) 1 (Usr: 1, Grp: 0, SP: 0) /providers/Microsoft.Management/managementGroups/ESJH-landingzones/providers/Microsoft.Authorization/roleAssignments/3b6291a1-fc61-41d8-abff-43d04e35be62 none 2021-01-25 22:02:49 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited ESJH-online Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-online/providers/Microsoft.Authorization/roleAssignments/06ee6718-e394-4fcf-bbc2-cf358381ff67 none 2021-01-10 20:57:02 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Sub User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Calamity Jane Calamity_Jane_AzGovViz.net#EXT#@AzGovViz.onmicrosoft.com 43b0f5e7-cb78-4e1a-b3da-1239647dfb74 User Guest indirect group03 (e2390190-219f-419f-bdfa-a9f5cc3698cc) 1 (Usr: 1, Grp: 0, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/6bbd9ae3-1189-40bb-8170-7e8674b79159 none 2021-07-21 10:08:04 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Sub User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Calamity Jane Calamity_Jane_AzGovViz.net#EXT#@AzGovViz.onmicrosoft.com 43b0f5e7-cb78-4e1a-b3da-1239647dfb74 User Guest direct /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/70e14253-25d3-447f-9356-ac32985062a4 none 2021-07-19 19:31:24 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Sub User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false group03 n/a e2390190-219f-419f-bdfa-a9f5cc3698cc Group direct 1 (Usr: 1, Grp: 0, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/6bbd9ae3-1189-40bb-8170-7e8674b79159 none 2021-07-21 10:08:04 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Sub Monitoring Reader 43d0d8ad-25c7-4714-9337-8ba259a9fe05 Builtin false Jolly Jumper JollyJumper@AzGovViz.onmicrosoft.com 192ff2e5-52de-4c93-b220-f9ced74068b0 User Member direct /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/79041f69-fb87-4da7-8676-6431f7ad43a8 none 2021-01-25 22:11:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Sub Tag Contributor 4a9ae827-6dc8-4573-8ac7-8239d42aa03f Builtin false Tag Bert TagBert@AzGovViz.onmicrosoft.com 9e1643fe-b887-4a53-9071-56801236f719 User Member direct /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/1dd61049-04b7-4058-af49-01f9b83159b2 none 2021-07-22 08:57:09 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Sub Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/2754101a-9df1-48e7-ae2a-836f23710ed7 none 2021-07-19 19:43:09 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Sub Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/68463d6a-5bd9-4d2b-8607-cb12a73d3c53 none 2021-05-13 12:05:47 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Sub Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false group00 n/a c1916fdd-08d8-439e-a329-d540c6f002a8 Group direct 6 (Usr: 4, Grp: 2, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/06e10e98-b109-40c5-bf73-691605bf66e3 none 2021-05-15 06:39:30 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Sub Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false group01 n/a 66f4e0b3-13af-4c93-ad43-67042ed760e5 Group indirect group00 (c1916fdd-08d8-439e-a329-d540c6f002a8) 6 (Usr: 4, Grp: 2, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/06e10e98-b109-40c5-bf73-691605bf66e3 none 2021-05-15 06:39:30 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Sub Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false group02 n/a 903a7f87-c183-4962-8983-c793a77f18bf Group indirect group00 (c1916fdd-08d8-439e-a329-d540c6f002a8) 6 (Usr: 4, Grp: 2, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/06e10e98-b109-40c5-bf73-691605bf66e3 none 2021-05-15 06:39:30 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Sub Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false user00 user00@AzGovViz.onmicrosoft.com 05687e51-8ebb-4a06-9eae-9e9786f79090 User Member indirect group00 (c1916fdd-08d8-439e-a329-d540c6f002a8) 6 (Usr: 4, Grp: 2, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/06e10e98-b109-40c5-bf73-691605bf66e3 none 2021-05-15 06:39:30 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Sub Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false user01 user01@AzGovViz.onmicrosoft.com 7dd8e665-9277-4bbb-94f9-ff278ceff8c0 User Member indirect group00 (c1916fdd-08d8-439e-a329-d540c6f002a8) 6 (Usr: 4, Grp: 2, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/06e10e98-b109-40c5-bf73-691605bf66e3 none 2021-05-15 06:39:30 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Sub Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false user02 user02@AzGovViz.onmicrosoft.com cb317eea-8af2-4cb8-bde5-516e0b951f1b User Member indirect group00 (c1916fdd-08d8-439e-a329-d540c6f002a8) 6 (Usr: 4, Grp: 2, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/06e10e98-b109-40c5-bf73-691605bf66e3 none 2021-05-15 06:39:30 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Sub Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false user03 user03@AzGovViz.onmicrosoft.com c472fa07-5319-4f5f-8bcd-00d4162bb8fd User Member indirect group00 (c1916fdd-08d8-439e-a329-d540c6f002a8) 6 (Usr: 4, Grp: 2, SP: 0) /subscriptions/4dfa3b56-55bf-4059-802a-24e44a4fb60f/providers/Microsoft.Authorization/roleAssignments/06e10e98-b109-40c5-bf73-691605bf66e3 none 2021-05-15 06:39:30 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a

Highlight Management Group in HierarchyMap

Management Group Name: ESJH-platform

Management Group Id: ESJH-platform

Management Group Path: 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-platform

1 ManagementGroups below this scope

1 Subscriptions below this scope

ASC Secure Score: Video , Blog , docs

   Download CSV semicolon | comma
Diagnostic setting Target Target Id Administrative Policy
mgDiag_ESJH-platform LA /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 true true
   Download CSV semicolon | comma
ChargeType ResourceType Category ResourceCount Cost (1d) Currency Subscriptions
usage arm advanced threat protection 1 0.0032450184 EUR 1
   Download CSV semicolon | comma
ResourceType Location Count
microsoft.automation/automationaccounts westeurope 1
microsoft.automation/automationaccounts/runbooks westeurope 1
microsoft.network/networksecuritygroups northeurope 1
microsoft.network/networksecuritygroups westeurope 1
microsoft.operationalinsights/workspaces westeurope 1
microsoft.operationsmanagement/solutions westeurope 10
   Download CSV semicolon | comma
ResourceType Resource Count Diagnostics capable Metrics Logs LogCategories
microsoft.automation/automationaccounts 1 True True True JobLogs, JobStreams, DscNodeStatus
microsoft.automation/automationaccounts/runbooks 1 False False False
microsoft.network/networksecuritygroups 2 True False True NetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounter
microsoft.operationalinsights/workspaces 1 True True True Audit
microsoft.operationsmanagement/solutions 10 False False False
   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Inheritance ScopeExcluded Exemption applies Policy DisplayName PolicyId Type Category Effect Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
   Download CSV semicolon | comma
Inheritance ScopeExcluded PolicySet DisplayName PolicySetId Type Category Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
inherited ESJH false Azure Security Benchmark /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 BuiltIn Security Center Default 15 11 4 0 0 none ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Deploy Diagnostic Settings to Azure Services /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics Custom Monitoring logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 2 0 3 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Enable Azure Monitor for VMs /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
inherited ESJH false Enable Azure Monitor for Virtual Machine Scale Sets /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149

Policy Assignment Limit: 0/200

0 Custom Policy definitions scoped

0 Custom PolicySet definitions scoped

0 Blueprints scoped

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Scope Role RoleId Role Type Data Identity Displayname Identity SignInName Identity ObjectId Identity Type Applicability Applies through membership Group Details Role AssignmentId Related Policy Assignment CreatedOn CreatedBy
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-platform/providers/Microsoft.Authorization/roleAssignments/243cb616-b890-4197-bc2e-98b966ba39f5 none 2021-01-10 20:56:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)

0 Subscriptions linked

Highlight Management Group in HierarchyMap

Management Group Name: ESJH-management

Management Group Id: ESJH-management

Management Group Path: 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-platform/ESJH-management

0 ManagementGroups below this scope

1 Subscriptions below this scope

ASC Secure Score: Video , Blog , docs

No Management Group Diagnostic settings docs

   Download CSV semicolon | comma
ChargeType ResourceType Category ResourceCount Cost (1d) Currency Subscriptions
usage arm advanced threat protection 1 0.0032450184 EUR 1
   Download CSV semicolon | comma
ResourceType Location Count
microsoft.automation/automationaccounts westeurope 1
microsoft.automation/automationaccounts/runbooks westeurope 1
microsoft.network/networksecuritygroups northeurope 1
microsoft.network/networksecuritygroups westeurope 1
microsoft.operationalinsights/workspaces westeurope 1
microsoft.operationsmanagement/solutions westeurope 10
   Download CSV semicolon | comma
ResourceType Resource Count Diagnostics capable Metrics Logs LogCategories
microsoft.automation/automationaccounts 1 True True True JobLogs, JobStreams, DscNodeStatus
microsoft.automation/automationaccounts/runbooks 1 False False False
microsoft.network/networksecuritygroups 2 True False True NetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounter
microsoft.operationalinsights/workspaces 1 True True True Audit
microsoft.operationsmanagement/solutions 10 False False False
   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Inheritance ScopeExcluded Exemption applies Policy DisplayName PolicyId Type Category Effect Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
thisScope Mg false false Deploy the Log Analytics in the subscription /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-log-analytics Custom Monitoring DeployIfNotExists automationAccountName=ESJH-a-f28ba982-5ed0-4033-9bdf-e45e4b5df466, automationRegion=westeurope, retentionInDays=30, rgName=ESJH-mgmt, workspaceName=ESJH-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, workspaceRegion=westeurope Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/b95d2309-e3d0-5961-bef8-a3e75deca49a) Deploy-Log-Analytics /providers/microsoft.management/managementgroups/esjh-management/providers/microsoft.authorization/policyassignments/deploy-log-analytics n/a 2021-01-10 20:58:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
   Download CSV semicolon | comma
Inheritance ScopeExcluded PolicySet DisplayName PolicySetId Type Category Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
inherited ESJH false Azure Security Benchmark /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 BuiltIn Security Center Default 15 11 4 0 0 none ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Deploy Diagnostic Settings to Azure Services /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics Custom Monitoring logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 2 0 3 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Enable Azure Monitor for VMs /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
inherited ESJH false Enable Azure Monitor for Virtual Machine Scale Sets /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149

Policy Assignment Limit: 1/200

0 Custom Policy definitions scoped

0 Custom PolicySet definitions scoped

0 Blueprints scoped

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Scope Role RoleId Role Type Data Identity Displayname Identity SignInName Identity ObjectId Identity Type Applicability Applies through membership Group Details Role AssignmentId Related Policy Assignment CreatedOn CreatedBy
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited ESJH-platform Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-platform/providers/Microsoft.Authorization/roleAssignments/243cb616-b890-4197-bc2e-98b966ba39f5 none 2021-01-10 20:56:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Log-Analytics n/a 2f3b9d0b-e8eb-4197-9cdf-ca6bde5dd3e5 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/b95d2309-e3d0-5961-bef8-a3e75deca49a /providers/microsoft.management/managementgroups/esjh-management/providers/microsoft.authorization/policyassignments/deploy-log-analytics (Deploy the Log Analytics in the subscription) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/84fb757b-e5ed-44e1-92fa-5d2ed6fe5cd1 none 2021-01-10 20:56:58 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
management (f28ba982-5ed0-4033-9bdf-e45e4b5df466)

Highlight Subscription in HierarchyMap

Subscription Name: management

Subscription Id: f28ba982-5ed0-4033-9bdf-e45e4b5df466

Subscription Path: 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-platform/ESJH-management/f28ba982-5ed0-4033-9bdf-e45e4b5df466

State: Enabled

QuotaId: PayAsYouGo_2014-09-01

ASC Secure Score: 4 of 14 points Video , Blog , docs

   Download CSV semicolon | comma
Diagnostic setting Target Target Id Administrative Alert Autoscale Policy Recommendation ResourceHealth Security ServiceHealth
subscriptionToLa LA /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 true true true true true true true true
   Download CSV semicolon | comma
Tag Name Tag Value
costCenter 4876
   Resource naming and tagging decision guide docs
   Download CSV semicolon | comma
Scope TagName Count
Subscription costCenter 2
   Download CSV semicolon | comma
ChargeType ResourceType Category ResourceCount Cost (1d) Currency
usage arm advanced threat protection 1 0.0032450184 EUR

3 Resource Groups | Limit: (3/980)

   Download CSV semicolon | comma
Provider State
Microsoft.Management Registered
Microsoft.OperationalInsights Registered
Microsoft.Automation Registered
Microsoft.OperationsManagement Registered
microsoft.insights Registered
Microsoft.Security Registered
Microsoft.GuestConfiguration Registered
Microsoft.PolicyInsights Registered
Microsoft.Network Registered
84codes.CloudAMQP NotRegistered
Crypteron.DataSecurity NotRegistered
Dynatrace.Observability NotRegistered
Microsoft.AAD NotRegistered
microsoft.aadiam NotRegistered
Microsoft.Addons NotRegistered
Microsoft.ADHybridHealthService Registered
Microsoft.Advisor NotRegistered
Microsoft.AgFoodPlatform NotRegistered
Microsoft.AISupercomputer NotRegistered
Microsoft.AlertsManagement NotRegistered
Microsoft.AnalysisServices NotRegistered
Microsoft.AnyBuild NotRegistered
Microsoft.ApiManagement NotRegistered
Microsoft.AppAssessment NotRegistered
Microsoft.AppConfiguration NotRegistered
Microsoft.AppPlatform NotRegistered
Microsoft.Attestation NotRegistered
Microsoft.Authorization Registered
Microsoft.Automanage NotRegistered
Microsoft.AutonomousDevelopmentPlatform NotRegistered
Microsoft.AutonomousSystems NotRegistered
Microsoft.AVS NotRegistered
Microsoft.AzureActiveDirectory NotRegistered
Microsoft.AzureArcData NotRegistered
Microsoft.AzureCIS NotRegistered
Microsoft.AzureData NotRegistered
Microsoft.AzurePercept NotRegistered
Microsoft.AzureSphere NotRegistered
Microsoft.AzureStack NotRegistered
Microsoft.AzureStackHCI NotRegistered
Microsoft.BareMetalInfrastructure NotRegistered
Microsoft.Batch NotRegistered
Microsoft.Billing Registered
Microsoft.Bing NotRegistered
Microsoft.Blockchain NotRegistered
Microsoft.BlockchainTokens NotRegistered
Microsoft.Blueprint NotRegistered
Microsoft.BotService NotRegistered
Microsoft.Cache NotRegistered
Microsoft.Capacity NotRegistered
Microsoft.Cascade NotRegistered
Microsoft.Cdn NotRegistered
Microsoft.CertificateRegistration NotRegistered
Microsoft.ChangeAnalysis NotRegistered
Microsoft.Chaos NotRegistered
Microsoft.ClassicCompute NotRegistered
Microsoft.ClassicInfrastructureMigrate NotRegistered
Microsoft.ClassicNetwork NotRegistered
Microsoft.ClassicStorage NotRegistered
Microsoft.ClassicSubscription Registered
Microsoft.CloudTest NotRegistered
Microsoft.CodeSigning NotRegistered
Microsoft.Codespaces NotRegistered
Microsoft.CognitiveServices NotRegistered
Microsoft.Commerce Registered
Microsoft.Communication NotRegistered
Microsoft.Compute NotRegistered
Microsoft.ConfidentialLedger NotRegistered
Microsoft.Confluent NotRegistered
Microsoft.ConnectedCache NotRegistered
Microsoft.ConnectedVehicle NotRegistered
Microsoft.ConnectedVMwarevSphere NotRegistered
Microsoft.Consumption Registered
Microsoft.ContainerInstance NotRegistered
Microsoft.ContainerRegistry NotRegistered
Microsoft.ContainerService NotRegistered
Microsoft.CostManagement Registered
Microsoft.CostManagementExports NotRegistered
Microsoft.CustomerLockbox NotRegistered
Microsoft.CustomProviders NotRegistered
Microsoft.D365CustomerInsights NotRegistered
Microsoft.Dashboard NotRegistered
Microsoft.DataBox NotRegistered
Microsoft.DataBoxEdge NotRegistered
Microsoft.Databricks NotRegistered
Microsoft.DataCatalog NotRegistered
Microsoft.DataCollaboration NotRegistered
Microsoft.Datadog NotRegistered
Microsoft.DataFactory NotRegistered
Microsoft.DataLakeAnalytics NotRegistered
Microsoft.DataLakeStore NotRegistered
Microsoft.DataMigration NotRegistered
Microsoft.DataProtection NotRegistered
Microsoft.DataShare NotRegistered
Microsoft.DBforMariaDB NotRegistered
Microsoft.DBforMySQL NotRegistered
Microsoft.DBforPostgreSQL NotRegistered
Microsoft.DelegatedNetwork NotRegistered
Microsoft.DeploymentManager NotRegistered
Microsoft.DesktopVirtualization NotRegistered
Microsoft.Devices NotRegistered
Microsoft.DeviceUpdate NotRegistered
Microsoft.DevOps NotRegistered
Microsoft.DevTestLab NotRegistered
Microsoft.Diagnostics NotRegistered
Microsoft.DigitalTwins NotRegistered
Microsoft.DocumentDB NotRegistered
Microsoft.DomainRegistration NotRegistered
Microsoft.EdgeOrder NotRegistered
Microsoft.Elastic NotRegistered
Microsoft.EnterpriseKnowledgeGraph NotRegistered
Microsoft.EventGrid NotRegistered
Microsoft.EventHub NotRegistered
Microsoft.Experimentation NotRegistered
Microsoft.ExtendedLocation NotRegistered
Microsoft.Falcon NotRegistered
Microsoft.Features Registered
Microsoft.Fidalgo NotRegistered
Microsoft.FluidRelay NotRegistered
Microsoft.HanaOnAzure NotRegistered
Microsoft.HardwareSecurityModules NotRegistered
Microsoft.HDInsight NotRegistered
Microsoft.HealthBot NotRegistered
Microsoft.HealthcareApis NotRegistered
Microsoft.HybridCompute NotRegistered
Microsoft.HybridData NotRegistered
Microsoft.HybridNetwork NotRegistered
Microsoft.ImportExport NotRegistered
Microsoft.IndustryDataLifecycle NotRegistered
Microsoft.IntelligentITDigitalTwin NotRegistered
Microsoft.IoTCentral NotRegistered
Microsoft.IoTSecurity NotRegistered
Microsoft.KeyVault NotRegistered
Microsoft.Kubernetes NotRegistered
Microsoft.KubernetesConfiguration NotRegistered
Microsoft.Kusto NotRegistered
Microsoft.LabServices NotRegistered
Microsoft.Logic NotRegistered
Microsoft.Logz NotRegistered
Microsoft.MachineLearning NotRegistered
Microsoft.MachineLearningServices NotRegistered
Microsoft.Maintenance NotRegistered
Microsoft.ManagedIdentity NotRegistered
Microsoft.ManagedServices NotRegistered
Microsoft.Maps NotRegistered
Microsoft.Marketplace NotRegistered
Microsoft.MarketplaceApps NotRegistered
Microsoft.MarketplaceNotifications NotRegistered
Microsoft.MarketplaceOrdering Registered
Microsoft.Media NotRegistered
Microsoft.Migrate NotRegistered
Microsoft.MixedReality NotRegistered
Microsoft.MobileNetwork NotRegistered
Microsoft.NetApp NotRegistered
Microsoft.NotificationHubs NotRegistered
Microsoft.ObjectStore NotRegistered
Microsoft.OffAzure NotRegistered
Microsoft.OpenLogisticsPlatform NotRegistered
Microsoft.Peering NotRegistered
Microsoft.Portal Registered
Microsoft.PowerBI NotRegistered
Microsoft.PowerBIDedicated NotRegistered
Microsoft.PowerPlatform NotRegistered
Microsoft.ProjectBabylon NotRegistered
Microsoft.ProviderHub NotRegistered
Microsoft.Purview NotRegistered
Microsoft.Quantum NotRegistered
Microsoft.Quota NotRegistered
Microsoft.RecommendationsService NotRegistered
Microsoft.RecoveryServices NotRegistered
Microsoft.RedHatOpenShift NotRegistered
Microsoft.Relay NotRegistered
Microsoft.ResourceConnector NotRegistered
Microsoft.ResourceGraph Registered
Microsoft.ResourceHealth NotRegistered
Microsoft.Resources Registered
Microsoft.SaaS NotRegistered
Microsoft.Scheduler NotRegistered
Microsoft.Scom NotRegistered
Microsoft.ScVmm NotRegistered
Microsoft.Search NotRegistered
Microsoft.SecurityDetonation NotRegistered
Microsoft.SecurityInsights NotRegistered
Microsoft.SerialConsole Registered
Microsoft.ServiceBus NotRegistered
Microsoft.ServiceFabric NotRegistered
Microsoft.ServiceFabricMesh NotRegistered
Microsoft.ServiceLinker NotRegistered
Microsoft.ServicesHub NotRegistered
Microsoft.SignalRService NotRegistered
Microsoft.Singularity NotRegistered
Microsoft.SoftwarePlan NotRegistered
Microsoft.Solutions NotRegistered
Microsoft.Sql NotRegistered
Microsoft.SqlVirtualMachine NotRegistered
Microsoft.Storage NotRegistered
Microsoft.StorageCache NotRegistered
Microsoft.StoragePool NotRegistered
Microsoft.StorageSync NotRegistered
Microsoft.StorSimple NotRegistered
Microsoft.StreamAnalytics NotRegistered
Microsoft.Subscription NotRegistered
microsoft.support Registered
Microsoft.Synapse NotRegistered
Microsoft.TestBase NotRegistered
Microsoft.TimeSeriesInsights NotRegistered
Microsoft.VideoIndexer NotRegistered
Microsoft.VirtualMachineImages NotRegistered
microsoft.visualstudio NotRegistered
Microsoft.VMware NotRegistered
Microsoft.VMwareCloudSimple NotRegistered
Microsoft.VSOnline NotRegistered
Microsoft.Web NotRegistered
Microsoft.WindowsESU NotRegistered
Microsoft.WindowsIoT NotRegistered
Microsoft.WorkloadBuilder NotRegistered
Microsoft.WorkloadMonitor NotRegistered
NGINX.NGINXPLUS NotRegistered
Paraleap.CloudMonix NotRegistered
Pokitdok.Platform NotRegistered
RavenHq.Db NotRegistered
Raygun.CrashReporting NotRegistered
Sendgrid.Email NotRegistered
Wandisco.Fusion NotRegistered
  Considerations before applying locks docs
Lock scope Lock type presence
SubscriptionCannotDelete0
SubscriptionReadOnly0
ResourceGroupCannotDelete1
ResourceGroupReadOnly0
ResourceCannotDelete0
ResourceReadOnly0
   Download CSV semicolon | comma
ResourceType Location Count
microsoft.automation/automationaccounts westeurope 1
microsoft.automation/automationaccounts/runbooks westeurope 1
microsoft.network/networksecuritygroups northeurope 1
microsoft.network/networksecuritygroups westeurope 1
microsoft.operationalinsights/workspaces westeurope 1
microsoft.operationsmanagement/solutions westeurope 10
   Download CSV semicolon | comma
ResourceType Resource Count Diagnostics capable Metrics Logs LogCategories
microsoft.automation/automationaccounts 1 True True True JobLogs, JobStreams, DscNodeStatus
microsoft.automation/automationaccounts/runbooks 1 False False False
microsoft.network/networksecuritygroups 2 True False True NetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounter
microsoft.operationalinsights/workspaces 1 True True True Audit
microsoft.operationsmanagement/solutions 10 False False False
   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Inheritance ScopeExcluded Exemption applies Policy DisplayName PolicyId Type Category Effect Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
inherited ESJH-management false false Deploy the Log Analytics in the subscription /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-log-analytics Custom Monitoring DeployIfNotExists automationAccountName=ESJH-a-f28ba982-5ed0-4033-9bdf-e45e4b5df466, automationRegion=westeurope, retentionInDays=30, rgName=ESJH-mgmt, workspaceName=ESJH-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, workspaceRegion=westeurope Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/b95d2309-e3d0-5961-bef8-a3e75deca49a) Deploy-Log-Analytics /providers/microsoft.management/managementgroups/esjh-management/providers/microsoft.authorization/policyassignments/deploy-log-analytics n/a 2021-01-10 20:58:37 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 1 0 1 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
   Download CSV semicolon | comma
Inheritance ScopeExcluded PolicySet DisplayName PolicySetId Type Category Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
inherited ESJH false Azure Security Benchmark /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 BuiltIn Security Center Default 15 11 4 0 0 none ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Deploy Diagnostic Settings to Azure Services /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics Custom Monitoring logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 2 0 3 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Enable Azure Monitor for VMs /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
inherited ESJH false Enable Azure Monitor for Virtual Machine Scale Sets /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
thisScope Sub false Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances /providers/microsoft.authorization/policysetdefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 BuiltIn Security Center Default 0 0 0 0 0 none ASC DataProtection (subscription: f28ba982-5ed0-4033-9bdf-e45e4b5df466) /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenter Security Center 2021-01-10 21:02:38 ObjectType: SP App EXT, ObjectDisplayName: Windows Azure Security Resource Provider, ObjectSignInName: n/a, ObjectId: 9ac4e379-ffb1-4e2c-ac89-3752d019abfd (rp)

Policy Assignment Limit: 1/200

   Download CSV semicolon | comma
Policy DisplayName PolicyId Category Policy effect Role definitions Unique assignments Used in PolicySets
Create NSG Rule /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/providers/microsoft.authorization/policydefinitions/4e7e976d-d94c-47a3-a534-392c641cecd8 CUST_NSG Fixed: append n/a 0 0

0 Custom PolicySet definitions scoped

0 Blueprints assigned

0 Blueprints scoped

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Scope Role RoleId Role Type Data Identity Displayname Identity SignInName Identity ObjectId Identity Type Applicability Applies through membership Group Details Role AssignmentId Related Policy Assignment CreatedOn CreatedBy
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited ESJH-management Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Log-Analytics n/a 2f3b9d0b-e8eb-4197-9cdf-ca6bde5dd3e5 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/b95d2309-e3d0-5961-bef8-a3e75deca49a /providers/microsoft.management/managementgroups/esjh-management/providers/microsoft.authorization/policyassignments/deploy-log-analytics (Deploy the Log Analytics in the subscription) 2021-01-10 20:58:39 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH-management Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-management/providers/Microsoft.Authorization/roleAssignments/84fb757b-e5ed-44e1-92fa-5d2ed6fe5cd1 none 2021-01-10 20:56:58 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited ESJH-platform Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-platform/providers/Microsoft.Authorization/roleAssignments/243cb616-b890-4197-bc2e-98b966ba39f5 none 2021-01-10 20:56:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Sub RG Contributor b24988ac-6180-42a0-ab88-20f7382dd24c Builtin false user03 user03@AzGovViz.onmicrosoft.com c472fa07-5319-4f5f-8bcd-00d4162bb8fd User Member direct /subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourceGroups/NSG/providers/Microsoft.Authorization/roleAssignments/1fe0074e-959c-4d3e-9478-9dc99a34062a none 2021-05-18 17:59:58 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a

Highlight Management Group in HierarchyMap

Management Group Name: ESJH-sandboxes

Management Group Id: ESJH-sandboxes

Management Group Path: 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-sandboxes

1 ManagementGroups below this scope

0 Subscriptions below this scope

ASC Secure Score: Video , Blog , docs

No Management Group Diagnostic settings docs

No Consumption data available for Subscriptions under this ManagementGroup

0 ResourceTypes (all Subscriptions below this scope)

0 ResourceTypes Diagnostics capable (all Subscriptions below this scope)

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Inheritance ScopeExcluded Exemption applies Policy DisplayName PolicyId Type Category Effect Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
thisScope Mg false false Audit VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d BuiltIn Compute audit Default 0 0 0 0 0 none Audit VMs that do not use managed disks /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b1 Joe Dalton 2021-05-05 19:52:10 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope Mg false false Audit VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d BuiltIn Compute audit Default 0 0 0 0 0 none APA Audit VMs that do not use managed disks /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b2 n/a 2021-07-06 09:42:48 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
thisScope Mg false false Audit VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d BuiltIn Compute audit Default 0 0 0 0 0 none APA2 Audit VMs that do not use managed disks /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b3 n/a 2021-07-06 10:32:34 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
thisScope Mg false false Audit VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d BuiltIn Compute audit Default 0 0 0 0 0 none APA3 Audit VMs that do not use managed disks /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b4 n/a 2021-07-06 11:59:31 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
   Download CSV semicolon | comma
Inheritance ScopeExcluded PolicySet DisplayName PolicySetId Type Category Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
inherited ESJH false Azure Security Benchmark /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 BuiltIn Security Center Default 0 0 0 0 0 none ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Deploy Diagnostic Settings to Azure Services /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics Custom Monitoring logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Enable Azure Monitor for VMs /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
inherited ESJH false Enable Azure Monitor for Virtual Machine Scale Sets /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149

Policy Assignment Limit: 4/200

0 Custom Policy definitions scoped

0 Custom PolicySet definitions scoped

0 Blueprints scoped

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Scope Role RoleId Role Type Data Identity Displayname Identity SignInName Identity ObjectId Identity Type Applicability Applies through membership Group Details Role AssignmentId Related Policy Assignment CreatedOn CreatedBy
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-sandboxes/providers/Microsoft.Authorization/roleAssignments/5c852bb9-bc65-44cb-a7d7-f230589f9c5f none 2021-01-10 20:56:28 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
thisScope MG Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-sandboxes/providers/Microsoft.Authorization/roleAssignments/5c852bb9-bc65-44cb-a7d7-f230589f9c11 none 2021-07-05 08:20:09 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a

0 Subscriptions linked

Highlight Management Group in HierarchyMap

Management Group Name: CUST_T5 atz

Management Group Id: CUST_T5

Management Group Path: 896470ca-9c6e-4176-9b38-5a655403c638/ESJH/ESJH-sandboxes/CUST_T5

0 ManagementGroups below this scope

0 Subscriptions below this scope

ASC Secure Score: Video , Blog , docs

No Management Group Diagnostic settings docs

No Consumption data available for Subscriptions under this ManagementGroup

0 ResourceTypes (all Subscriptions below this scope)

0 ResourceTypes Diagnostics capable (all Subscriptions below this scope)

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Inheritance ScopeExcluded Exemption applies Policy DisplayName PolicyId Type Category Effect Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
thisScope Mg false false Audit VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d BuiltIn Compute audit Default 0 0 0 0 0 none APA Audit VMs that do not use managed disks /providers/microsoft.management/managementgroups/cust_t5/providers/microsoft.authorization/policyassignments/aa4f4fdfd3b04fb3962a9da9 Joe Dalton 2021-07-15 15:16:07 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited ESJH-sandboxes false false Audit VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d BuiltIn Compute audit Default 0 0 0 0 0 none Audit VMs that do not use managed disks /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b1 Joe Dalton 2021-05-05 19:52:10 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited ESJH-sandboxes false false Audit VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d BuiltIn Compute audit Default 0 0 0 0 0 none APA Audit VMs that do not use managed disks /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b2 n/a 2021-07-06 09:42:48 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
inherited ESJH-sandboxes false false Audit VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d BuiltIn Compute audit Default 0 0 0 0 0 none APA2 Audit VMs that do not use managed disks /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b3 n/a 2021-07-06 10:32:34 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
inherited ESJH-sandboxes false false Audit VMs that do not use managed disks /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d BuiltIn Compute audit Default 0 0 0 0 0 none APA3 Audit VMs that do not use managed disks /providers/microsoft.management/managementgroups/esjh-sandboxes/providers/microsoft.authorization/policyassignments/8d73a6aa8a0a4ea2b58de2b4 n/a 2021-07-06 11:59:31 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
inherited ESJH false false Deploy Azure Defender settings in Azure Security Center. /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-asc-standard Custom Security Center DeployIfNotExists pricingTierAppServices=Standard, pricingTierArm=Standard, pricingTierContainerRegistry=Standard, pricingTierDns=Standard, pricingTierKeyVaults=Standard, pricingTierKubernetesService=Standard, pricingTierSqlServers=Standard, pricingTierStorageAccounts=Standard, pricingTierVms=Standard Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf) Deploy-ASC-Defender /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Deploy Diagnostic Settings for Activity Log to Log Analytics workspace /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policydefinitions/deploy-diagnostics-activitylog Custom Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466, logsEnabled=True Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e) Deploy-AzActivity-Log /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Linux servers /providers/microsoft.authorization/policydefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf) Deploy-Linux-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false false Configure Log Analytics agent on Azure Arc enabled Windows servers /providers/microsoft.authorization/policydefinitions/69af7d4a-7b18-4044-93a9-2651498ef203 BuiltIn Monitoring DeployIfNotExists logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed) Deploy-Windows-Arc-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
   Download CSV semicolon | comma
Inheritance ScopeExcluded PolicySet DisplayName PolicySetId Type Category Parameters Enforcement NonCompliance Message Policies NonCmplnt Policies Compliant Resources NonCmplnt Resources Compliant Resources Conflicting Role/Assignment Assignment DisplayName AssignmentId AssignedBy CreatedOn CreatedBy UpdatedOn UpdatedBy
inherited ESJH false Azure Security Benchmark /providers/microsoft.authorization/policysetdefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 BuiltIn Security Center Default 0 0 0 0 0 none ASC-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-monitoring n/a 2021-01-10 21:00:45 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Deploy Diagnostic Settings to Azure Services /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policysetdefinitions/deploy-diag-loganalytics Custom Monitoring logAnalytics=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc) Deploy-Resource-Diag /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH false Enable Azure Monitor for VMs /providers/microsoft.authorization/policysetdefinitions/55f3eceb-5573-4f18-9695-226972c6d74a BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374) Deploy-VM-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring n/a 2021-01-10 21:00:44 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149 2021-07-09 16:04:52 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
inherited ESJH false Enable Azure Monitor for Virtual Machine Scale Sets /providers/microsoft.authorization/policysetdefinitions/75714362-cae7-409e-9b99-a8e5075b7fad BuiltIn Monitoring logAnalytics_1=/subscriptions/f28ba982-5ed0-4033-9bdf-e45e4b5df466/resourcegroups/esjh-mgmt/providers/microsoft.operationalinsights/workspaces/esjh-la-f28ba982-5ed0-4033-9bdf-e45e4b5df466 Default 0 0 0 0 0 Owner (/providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870) Deploy-VMSS-Monitoring /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring n/a 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149

Policy Assignment Limit: 1/200

0 Custom Policy definitions scoped

0 Custom PolicySet definitions scoped

0 Blueprints scoped

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Scope Role RoleId Role Type Data Identity Displayname Identity SignInName Identity ObjectId Identity Type Applicability Applies through membership Group Details Role AssignmentId Related Policy Assignment CreatedOn CreatedBy
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-ASC-Security n/a 4cb4c797-237b-4e64-b2cf-66f841700442 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/538e5329-7b5d-511f-8c05-9c7c32dab0bf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-asc-security (Deploy Azure Defender settings in Azure Security Center.) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-AzActivity-Log n/a 1691aa06-da2e-43f0-98f9-af12494603a9 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/e5ac6b58-4f31-5956-9082-78d97ba2453e /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-azactivity-log (Deploy Diagnostic Settings for Activity Log to Log Analytics workspace) 2021-01-10 21:00:49 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-LX-Arc-Monitoring n/a 9ed01b2b-9311-41a8-8897-0a329047be49 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/ddc0ff3c-a3d0-5d5b-ba19-116b6572acbf /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-lx-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Linux servers) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-Resource-Diag n/a e51576ad-748d-462b-9d70-cb3b03e6c2e6 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/45afca7b-a696-5947-a47f-960081dd1dbc /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-resource-diag (Deploy Diagnostic Settings to Azure Services) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VM-Monitoring n/a 065dde0b-5eab-4fce-80ee-ec956e94c498 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/5d92332d-fe07-5cef-9c6b-33e5025d6374 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vm-monitoring (Enable Azure Monitor for VMs) 2021-01-10 21:00:47 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-VMSS-Monitoring n/a a3a4908f-b068-455e-a3f5-38cc5e00448f SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/2d361fa3-7bd4-5234-9b12-1f54afa65870 /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-vmss-monitoring (Enable Azure Monitor for Virtual Machine Scale Sets) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Deploy-WS-Arc-Monitoring n/a b0bdcb08-09c9-4d9d-957e-963d255e7220 SP MI direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/38abf737-131b-52a2-90da-78943675bfed /providers/microsoft.management/managementgroups/esjh/providers/microsoft.authorization/policyassignments/deploy-ws-arc-monitoring (Configure Log Analytics agent on Azure Arc enabled Windows servers) 2021-01-10 21:00:50 ObjectType: User Member, ObjectDisplayName: ESDeploymentAccount, ObjectSignInName: ESDeploymentAccount@AzGovViz.onmicrosoft.com, ObjectId: b790b1e1-6f46-488b-8c5a-708b0db9a149
inherited ESJH Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH/providers/Microsoft.Authorization/roleAssignments/f8d8ca86-6fdf-4ad5-b801-5e1b3eba3171 none 2021-01-10 20:55:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited ESJH-sandboxes Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-sandboxes/providers/Microsoft.Authorization/roleAssignments/5c852bb9-bc65-44cb-a7d7-f230589f9c5f none 2021-01-10 20:56:28 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)
inherited ESJH-sandboxes Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/ESJH-sandboxes/providers/Microsoft.Authorization/roleAssignments/5c852bb9-bc65-44cb-a7d7-f230589f9c11 none 2021-07-05 08:20:09 ObjectType: SP App INT , ObjectDisplayName: AzOps, ObjectSignInName: n/a, ObjectId: c295384a-33d9-475e-abaf-d2fb0274299a
inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Management/managementGroups/CUST_T5/providers/Microsoft.Authorization/roleAssignments/3c72bcce-6116-4d33-9f8a-927083beee40 none 2021-05-18 18:14:50 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)

0 Subscriptions linked

Highlight Management Group in HierarchyMap

Management Group Name: ESJHDEV

Management Group Id: ESJHDEV

Management Group Path: 896470ca-9c6e-4176-9b38-5a655403c638/ESJHDEV

0 ManagementGroups below this scope

0 Subscriptions below this scope

ASC Secure Score: Video , Blog , docs

No Management Group Diagnostic settings docs

No Consumption data available for Subscriptions under this ManagementGroup

0 ResourceTypes (all Subscriptions below this scope)

0 ResourceTypes Diagnostics capable (all Subscriptions below this scope)

0 Policy assignments

0 PolicySet assignments

Policy Assignment Limit: 0/200

0 Custom Policy definitions scoped

0 Custom PolicySet definitions scoped

0 Blueprints scoped

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Scope Role RoleId Role Type Data Identity Displayname Identity SignInName Identity ObjectId Identity Type Applicability Applies through membership Group Details Role AssignmentId Related Policy Assignment CreatedOn CreatedBy
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/ESJHDEV/providers/Microsoft.Authorization/roleAssignments/983c43f8-1c29-4c73-9816-b69d38226be4 none 2021-07-06 13:09:24 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)

0 Subscriptions linked

Highlight Management Group in HierarchyMap

Management Group Name: ESJHQA

Management Group Id: ESJHQA

Management Group Path: 896470ca-9c6e-4176-9b38-5a655403c638/ESJHQA

0 ManagementGroups below this scope

0 Subscriptions below this scope

ASC Secure Score: Video , Blog , docs

No Management Group Diagnostic settings docs

No Consumption data available for Subscriptions under this ManagementGroup

0 ResourceTypes (all Subscriptions below this scope)

0 ResourceTypes Diagnostics capable (all Subscriptions below this scope)

0 Policy assignments

0 PolicySet assignments

Policy Assignment Limit: 0/200

0 Custom Policy definitions scoped

0 Custom PolicySet definitions scoped

0 Blueprints scoped

   Download CSV semicolon | comma
  *Depending on the number of rows and your computer´s performance the table may respond with delay, download the csv for better filtering experience
Scope Role RoleId Role Type Data Identity Displayname Identity SignInName Identity ObjectId Identity Type Applicability Applies through membership Group Details Role AssignmentId Related Policy Assignment CreatedOn CreatedBy
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/30e36b53-bc6c-412b-a026-96fe7527e27b none 2021-07-06 12:42:21 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/eda95ae6-8581-4558-b3b9-b3cd05cce33d none 2021-06-16 13:58:06 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false azgovvizwwcsecurity n/a e261446e-77d2-4cf5-a32a-0fbef8ee1333 SP App INT direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/d7973c31-e58a-4af7-bbcb-a4bac69ba141 none 2021-04-27 16:53:54 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited 896470ca-9c6e-4176-9b38-5a655403c638 Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 Builtin false Jack Dalton JackDalton@AzGovViz.onmicrosoft.com c64d2776-a210-428f-b54f-a4a5dd7f8ef8 User Member direct /providers/Microsoft.Management/managementGroups/896470ca-9c6e-4176-9b38-5a655403c638/providers/Microsoft.Authorization/roleAssignments/2df03e9d-a1e3-41f5-a95e-efb2b4641f04 none 2021-07-19 19:38:25 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant User Access Administrator 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Builtin false Joe Dalton joe.dalton@AzGovViz.onmicrosoft.com acf4c68f-7b15-4d70-935b-26116fc2426a User Member direct /providers/Microsoft.Authorization/roleAssignments/0c3ffd6f-942d-433d-8abd-2d0d7f4383e1 none 2021-01-10 20:27:23 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
inherited Tenant Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false ESDeploymentAccount ESDeploymentAccount@AzGovViz.onmicrosoft.com b790b1e1-6f46-488b-8c5a-708b0db9a149 User Member direct /providers/Microsoft.Authorization/roleAssignments/6c236776-529f-4132-b034-e399e1cd1a99 none 2021-01-10 20:51:02 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Security Reader 39bc4728-0917-49c7-9d2c-d95423bc2eb4 Builtin false group04NoMembers n/a 5f90ced2-7d5e-493b-9db6-862b9332e20a Group direct 0 (Usr: 0, Grp: 0, SP: 0) /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/e010f291-49a9-4d4b-be4d-55c6aeb164cd none 2021-08-06 09:30:11 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Log Analytics Reader 73c42c96-874c-492b-b04d-ab87d138a893 Builtin false group04NoMembers n/a 5f90ced2-7d5e-493b-9db6-862b9332e20a Group indirect group05OneMemberGroupWithNoMembers (c57f8838-1603-4932-b3c4-9572feea9173) 1 (Usr: 0, Grp: 1, SP: 0) /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/fe935a9c-928f-4dec-aafb-54ecc2642cf3 none 2021-08-06 09:30:52 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Log Analytics Reader 73c42c96-874c-492b-b04d-ab87d138a893 Builtin false group05OneMemberGroupWithNoMembers n/a c57f8838-1603-4932-b3c4-9572feea9173 Group direct 1 (Usr: 0, Grp: 1, SP: 0) /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/fe935a9c-928f-4dec-aafb-54ecc2642cf3 none 2021-08-06 09:30:52 ObjectType: User Member, ObjectDisplayName: Joe Dalton, ObjectSignInName: joe.dalton@AzGovViz.onmicrosoft.com, ObjectId: acf4c68f-7b15-4d70-935b-26116fc2426a
thisScope MG Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Builtin false AzOps n/a c295384a-33d9-475e-abaf-d2fb0274299a SP App INT direct /providers/Microsoft.Management/managementGroups/ESJHQA/providers/Microsoft.Authorization/roleAssignments/9f1fe9df-5a9c-46ca-b881-154ecd19eaa7 none 2021-07-06 10:02:27 ObjectType: SP App EXT, ObjectDisplayName: Azure Management Groups, ObjectSignInName: n/a, ObjectId: 4870c99c-acfe-4210-9212-32949dc37c7a (r)

0 Subscriptions linked